By Anthony Chapman, CPA, CITP | WithumSmith+Brown PC
SOC (Service Organization Controls) audits are internal control audit engagements that are performed for service organizations. SOC audit reports are typically required by, and provided to, the customers of the service organizations.
SOC audits have only been available since mid-2011. Prior to that, the audit standard that was available for service organizations was SAS 70. SAS 70 audit reports, however only addressed the control objectives and the supporting control activities applicable to financial reporting. The business process and information technology outsourcing landscape has changed significantly since SAS 70 was developed in the 1990s, and the needs of the marketplace were no longer properly addressed by SAS 70 reports.
Now the SOC standards allow for different reports for different purposes.
SOC 1 reports are focused on internal controls over financial reporting, and are the closest reporting standard to the former SAS 70.
- This option is suited to service organizations that process financial transactions or financial related data for their customers.
- SOC 1 reports include the following:
- Control objectives
- Supporting information technology and business process control activities relevant to its user organizations and the independent auditors of the user organizations
- Other than current best practices, there are no specific requirements or standards as to what control objectives and activities should be included in the audit scope. As such, user organizations and their independent auditors should evaluate the scope of reports and conclude as to its completeness for their purposes.
SOC 1 reports can either be a Type I or Type II.
- Type I reports are as of a specific date and address management’s assertions, management’s description of the system, and the design of the controls.
- Type II reports are for a period of time and, in addition to the elements of the Type I report, it addresses the effectiveness of the control activities from a financial auditing standpoint. Type II reports will include a control testing matrix and will indicate the type of audit tests applied to each control activity and the results of the detailed testing. The additional information provided in a Type II report enables the user organization and its independent auditors to obtain a much better understanding of the system of controls in place.
- Since a Type II report covers a period of time (usually 12 months) it typically provides coverage for most or all of a user entity’s audit period.
- If the Type II report does not cover the entire audit period for the user organization, a bridge letter is frequently requested from management of the service organization that will address any changes to the control environment for the stub period.
- The PCAOB has indicated that a SOC 1 Type II report is the only report that may be relied upon by independent auditors with regard to Section 404 of the Sarbanes-Oxley Act (SOX). SOX requires that the management of public companies assess the effectiveness of the internal control of issuers for financial reporting. Section 404 requires the auditor of a publicly held accelerated filer (companies with more than $75 million in market capitalization) to attest to, and report on, management’s assessment of its internal controls.
SOC 2 reports are focused on service organization controls related to compliance or operation and address issues such as security, availability (uptime), processing integrity, confidentiality, and privacy.
- SOC 2 audit reports address the concerns of entities that use a service organization to provide services that are not related to financial reporting.
- Typical examples are data hosting, software-as-a-service (SaaS) providers or cloud-based entities.
Like SOC 1 reports, SOC 2 reports can either be Type I or Type II.
- SOC 2 reports are based on the AICPA Trust Service Principles, and each of the five principles have defined criteria that must be mapped to individual controls at the service organization to achieve adherence to the principles. If any criteria is not mapped to a specific control activity the report must address the exception.
- At a minimum, a service organization must include the Trust Services Principle of Security (common criteria), but depending on the services provided the service organization can elect to add one or more of the additional four principles. In the wake of numerous high-impact data breaches, many organizations are strengthening their vendor management requirements for all service providers - financial and nonfinancial.
Any organization that provides services that involve the collection, storage, processing or transmission of information received from customers must ensure that its information technology and business process controls involved with this data are secure. Customers of these service organizations can obtain information about their service providers controls over their data from SOC 2 reports.
SOC 1 and SOC 2 reports contain extensive information about an organization’s controls, and both types of reports are restricted-use documents. The distribution of SOC 1 and SOC 2 reports is limited to the service organization, user entities, and independent auditors for user organizations. With the introduction of SOC 1 and SOC 2 reports the AICPA created a SOC logo that can be displayed on all printed and electronic media of service organizations that have been issued a SOC 1 or SOC 2 report. A service organization can register its report with the AICPA is granted the right to use the AICPA SOC logo, free of charge.
SOC reports provide valuable information to user entities and their independent auditors about the business processes and information technology controls in place at service organizations. Without this information user entities would be unable to make informed decisions about the controls at third-party service providers concerning their transactions and data.
Anthony Chapman, CPA, CITP is SOC specialist partner, practice leader, at WithumSmith+Brown PC. To hear more from Chapman on SOC reports, attend the PICPA’s Employee Benefit Plans Conference in Lancaster or via webcast on May 19-20. View the full agenda and register at www.picpa.org/ebp.
Order by
Newest on top Oldest on top