Service Organization Control Reports

These days, most organizations outsource some function of their infrastructure to a third-party business. Imagine you are the owner of a company. Deciding to put your company’s sensitive data in someone else’s hands is a difficult decision to make. You’ll likely want to ensure that certain controls are in place before you take on such a risk. The functions provided by the third-party businesses are going to affect the user organization’s records. This could be your customer’s health or financial information, for example.

As a result, service organizations find it important to instill trust and confidence in their customers. The service organization has a vested interest in helping its customers understand that adequate controls and processes are in place. Service Organization Control (SOC) reports provide such assurance. The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issues and maintains these auditing standards. The primary stakeholders for SOC reports include the following:

  • User entities—The user entities, or organizations that rely on a service provider, benefit from SOC reports because they mitigate the risk associated with outsourcing services.

  • Service organizations—The service organizations want to earn and keep the business of the user entities. SOC reports provide user entities with confidence and the assurance of trust.

  • Auditors—Auditors from both the service-organization side and the user-entity side must understand the framework and standards for performing SOC engagements.

The Sarbanes-Oxley Act (SOX) has placed increased importance on SOC assessments. A goal of SOX is to maintain investor and public confidence through the accuracy and reliability of financial reporting. SOX essentially mandates the establishment of adequate internal controls. Consider that many organizations outsource all sorts of activities that could have implications on SOX. These activities include payroll functions, for example, which are commonly outsourced. SOX ensures that adequate controls are in place is required regardless of whether that data are stored and processed in-house or by an external party.

SOC reports take the form of three different engagements, which produce three different reports. The following are the three types of engagements and associated SOC reports:

  • SOC 1, Report on Controls at a Service Organization Relevant to User Entities’ Internal Controls over Financial Reporting—These reports are based on Statement on Standards for Attestation Engagements No. 16 (SSAE 16). This has replaced what was commonly known as Statement on Auditing Standards (SAS) No. 70, or SAS 70. This report is intended to assure organizations (user entities) that rely on the service provider. Auditors of the user entities employ these reports in performing financial audits. There are two types of SOC 1 reports—Type 1 and Type 2. A Type 1 report includes the auditor’s assessment of whether the description of the service organization’s system is fair as of a specific date. A Type 2 report is similar but also reports on the effectiveness of the controls through a specific period.

  • SOC 2, Report on Controls at Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy—A SOC 2 report was specifically created to address the wide and growing use of technology and cloud-based providers. As the name of the report implies, the SOC 2 considers the security, availability, integrity, confidentiality, and integrity of the service organization’s system and data. As with SOC 1, there are two types of SOC 2 reports: Type 1 and Type 2. A Type 1 report provides management’s description of the organization’s systems and the suitability of controls. A Type 2 report does the same but also includes management’s assessment of the controls’ effectiveness.

  • SOC 3, Trust Services Report for Service Organizations—SOC 3 is similar to SOC 2 but may be more appropriate for a service provider when the provider’s customers don’t have the need or knowledge to use the details provided by SOC 2. Unlike SOC 1 or SOC 2 reports, which are intended for specific audiences or restricted, SOC 3 reports can be freely distributed.

Table 4-2, adapted from the AICPA’s “SOC Reports Information for CPAs,” provides a comparison between the three different SOC types. Further, the AICPA website (http://www.aicpa.org) provides comprehensive information and valuable SOC guides and publications.

TABLE 4-2 Comparison of SOC reports.

A table describing the comparison of S O C reports.
Description

Although SOC 1 reports have effectively replaced SAS 70 reports since about 2010, they continued to be called SAS 70 reports even many years later. If that wasn’t confusing enough, the SOC 1 report is also commonly referred to as SSAE 16, which again is the standard on which the SOC 1 brand is based. Finally, it’s important to point out that a SOC 1 report, as was the original intent of the SAS 70, is strictly related to internal controls over financial reporting. This need is largely AICPA’s intent behind the SOC 2. In the absence of any true relationship of internal controls over financial reporting, a SOC 2 would be most appropriate for user entities that deal with many IT providers—and specifically the growing cloud service providers. Thus far, however, the trend has still been focused on SOC 1 compliance. While SOC 1 and its predecessor are well understood and accepted, the others have yet to fully mature.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.189.171.193