Appendix D: AICPA SOC References and Resources
Service Organization Control Reports
(www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/sorhome.aspx)
Overview: Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.
SOC Reports Information for Service Organizations
(www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/serviceorganization’smanagement.aspx)
Overview: SOC reports are designed to help service organizations, which are organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent CPA. Each type of SOC report is designed to help service organizations meet specific user needs.
SOC Reports Information for CPAs
(www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/cpas.aspx)
Overview: To make CPAs aware of the various standards available to them for examining and reporting on controls at a service organization and to help CPAs select the appropriate standard for a particular engagement, the AICPA has introduced Service Organization ControlSM Reports and identified 3 different engagements (SOC 1, SOC 2, and SOC 3) that involve reporting on controls at a service organization. The following table identifies features of each of these engagements.
SOC Reports Member Toolkit
(www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/soctoolkit_firms.aspx)
Tools: The AICPA developed resources to help CPAs explain the new series of SOC reports to current and potential clients and for firms to market their services to them. Post the article on your website or run it in your firm’s digital or print publications and mailings. Conduct presentations using the PowerPoint that includes speaker notes. The flyer, which you may duplicate and distribute, is a good handout at presentations or can be mailed to clients.
SOC 1
(www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc1report.aspx)
Article: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
These reports, prepared in accordance with AT section 801, Reporting on Controls at a Service Organization (AICPA, Professional Standards), are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of complying with laws and regulations, such as the SarbanesOxley Act, and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. There are two types of reports for these engagements.
Comparison of SOC 1, SOC 2, and SOC 3 Reports
Overview: The following chart provides a convenient, detailed comparison of SOC 1, SOC 2, and SOC 3 reports, including, but not limited to, the purpose and components of each of the three reports.
| SOC 1 Reports | SOC 2 Reports | SOC 3 Reports | |
| Under what professional standard is the engagement performed? | AT section 801, Reporting on Controls at a Service Organization | AT section 101, Attestation Engagements | AT section 101, Attestation Engagements |
| AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization | AICPA Guide, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2SM) | AICPA Technical Practice Aid, Trust Services Principles, Criteria, and Illustrations (www.webtrust.net/downloads/WT.TrustServices.pdf) | |
| What is the subject matter of the engagement? | Controls at a service organization relevant to user entities internal control over financial reporting. | Controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy. | Controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. |
| If the report addresses the privacy principle, the service organization’s compliance with the commitments in its statement of privacy practices. | If the report addresses the privacy principle, the service organization’s compliance with the commitments in its statement of privacy practices. | ||
| What is the purpose of the report? | To provide management of a service organization, user entities, and other specified parties with information and a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality or privacy. | To provide interested parties with a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality, or privacy. | To provide information to the auditor of a user entity’s financial statements about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. It enables the user auditor to perform risk assessment procedures, and if a type 2 report is provided, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing. |
| A type 2 report that addresses the privacy principle; also provides a CPA’s opinion about the service organization’s compliance with the commitments in its statement of privacy practices. | A report that addresses the privacy principle; also provides a CPA’s opinion about the service organization’s compliance with the commitments in its privacy notice. | ||
| What are the components of the report? | A description of the service organization’s system. | A description of the service organization’s system. | |
| A service auditor’s report that contains an opinion on the fairness of the presentation of the description of the service organization’s system, the suitability of the design of the controls, and in a type 2 report, the operating effectiveness of the controls. | A service auditor’s report that contains an opinion on the fairness of the presentation of the description of the service organization’s system, the suitability of the design of the controls, and in a type 2 report, the operating effectiveness of the controls. | A service auditor’s report on whether the entity maintained effective controls over its system as it relates to the principle being reported on, that is, security, availability, processing integrity, confidentiality, or privacy, based on the applicable trust services criteria. | |
| If the report addresses the privacy principle, the service auditor’s opinion on whether the service organization complied with the commitments in its statement of privacy practices. | If the report addresses the privacy principle, the service auditor’s opinion on whether the service organization complied with the commitments in its statement of privacy practices. | ||
| In a type 2 report, a description of the service auditor’s tests of the controls and the results of the tests. | In a type 2 report, a description of the service auditor’s tests of controls and the results of the tests. | ||
| In a type 2 report that addresses the privacy principle, a description of the service auditor’s tests of the service organization’s compliance with the commitments in its statement of privacy practices and the results of those tests. | |||
| Who are the intended users of the report? | Auditors of the user entity’s financial statements, management of the user entities, and management of the service organization. | Parties that are knowledgeable about
|
Anyone. |
AICPA SOC Products
Service Organizations: Applying SSAE No. 16, Reporting on Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1SM)
This guide is designed to assist CPAs in transitioning from performing a service auditor’s engagement under Statement on Auditing Standards (SAS) No. 70, Service Organizations, to doing so under AT section 801, Reporting on Controls at a Service Organization, which replaces the guidance for service auditors in SAS No. 70.
Publications | eBook, Online Subscription, Paperback $60.00–$75.00
Service Organization Control ReportsSM: SOC 1, SOC 2, and SOC 3 On-Demand Series
(www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/PRDOVR~PC-780281/PC-780281.jsp)
This series of courses will provide information and guidance on the three new reporting options on controls at a service organization that have replaced SAS 70 reports.
CPE Self-Study | On-Demand $99.00–$236.25
Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2SM)
This new guide summarizes the three new SOC engagements and provides detailed guidance for performing examinations under AT section 101, Attest Engagements, to report on a service organization’s controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy, commonly referred to as a SOC 2 engagement.
Publications | eBook, Online Subscription, Paperback $60.00–$75.00
Service Organization Control Reports®: Considerations for User and Service Auditors—Audit Alert
(http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/SOC/PRDOVR~PCARASRV/PC-ARASRV.jsp)
This Alert helps you master the complexities of service organization control (SOC) engagements, including determination of the scope of the engagement, as well as identifying and responding to the needs of the user auditor.
Publications | eBook, Paperback $32–$43.75