Service Organization Control (SOC) Reports
Have you been asked to produce a SOC report as part of an RFP response or from potential client? While SOC reports are time consuming, they do provide a basis for a general set of controls and testing that allows your organization to audited once, instead of from every client. In general, the SOC1® provides a review over financial controls, while the SOC2® is used for the controls over IT. Both reports can be either a type I or type II report. The type I report is a review of the control design, while a type II is both a control design and effectiveness testing.
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of comply with laws and regulations such as the Sarbanes-Oxley Act and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. There are two types of reports for these engagements:
- Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
The use of these reports are restricted to the management of the service organization, user entities of the service organization and user auditors.
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. These reports are performed using the AICPA Guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of stakeholders:
- Oversight of the organization
- Vendor management program
- Internal corporate governance and risk management processes
- Regulatory oversight
Similar to SOC 1® engagement there are two types of report : Type 2, report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and Type 1, report on management’s description of a service organization’s system and the suitability of the design of controls. These reports may be restricted in use.
Trust Services Report for Service Organizations
SOC 3® reports are designed to meet the needs of uses who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2® report. These reports are prepared using the AICPA/ CPA Canada (formerly Canadian Institute of Chartered Accountants) Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Because SOC 3® reports are general use reports, they can be freely distributed.