Insights: Article

FAQ: System and Organizational Control (SOC) Reports

By   Mary Jo Richard

December 28, 2017

What is a service organization and a user entity?

A service organization is an organization that provides services to its customers or others (user entities).

A user entity is the business that uses the services of a service organization.

What is the SOC suite of services?

System and Organization Controls (SOC) is a suite of service offerings CPAs may provide. The report on the controls at the service organization provides valuable information that users need to assess and address the risk associated with outsourced services.

  • SOC 1 – SOC for Service Organization: Internal Controls over Financial Report (ICFR)
  • SOC 2 – SOC for Service Organizations: Trust Service Criteria
  • SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report
  • SOC for Cybersecurity: Entity-Level Cybersecurity Risk Management program

Which SOC report applies to my organization?

SOC 1 – A report on internal control over financial reporting at a service organization.

SOC 2 and SOC 3 – A report on internal control related to information systems and data security, availability, confidentiality, processing integrity, and/or privacy at a service organization.

SOC for Cybersecurity – A report about the effectiveness of a service organization’s cybersecurity risk management program.

What additional characteristics distinguish SOC 1, SOC 2 and SOC 3?

A SOC 1 report is specifically designed to provide management of the service organization, user entities, and their independent auditors (user auditors) with information about the controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting. The SOC 1 report enables the user entities’ auditor to perform risk assessment procedures during the planning and performing of an audit of the financial statements. Use of the report is restricted to management, user entities and their independent auditors.

A SOC 2 report is specifically designed to meet the needs of a broad range of users including management of service organizations, user entities, and other specified parties. The SOC 2 report provides information about the internal controls at the service organization relevant to the Trust Services Principles and criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (as established by TSP 100). Use of the report is generally restricted.

A SOC 3 report is a public report. It provides interested parties with a service auditor’s opinion about controls at the service organization relevant to the Trust Services Principles and criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy.

How is SSAE 18 related to SOC?

The AICPA’s Auditing Standards Board (ASB), has revised all of the existing attestation standards by clarifying the Statements on Standards for Attestation Engagements (SSAEs) and issuing SSAE 18 Attestation Standards: Clarification and Recodification. Although SOC reports reference a new standard, we would not consider the revisions significant.

How do SSAE 16 (AT801), AT101 and SSAE 18 Differ?

SSAE 18 is the new standard for all attestation engagements, including the new SOC for cybersecurity.

SSAE 16 (AT 801) is the old standard for SOC 1 engagements.

The new guidance in SSAE 18 is as follows:

AT-C Section 105, Concepts Common to all Attestation Engagements

AT-C Section 205, Examination Engagements

AT-C Section 320, Reporting on the Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.

AT101 is the old standard for SOC 2 and SOC 3 engagements.

The new guidance is in SSAE 18 is as follows:

AT-C Section 105, Concepts Common to all Attestation Engagements

AT-C Section 205, Examination Engagements.

What changed with the issuance of SSAE 18?

The actual changes to a SOC engagements relate to the following:

  • Vendor management
  • Risk assessment
  • Complementary subservice organization controls
  • Reliability of data

SSAE 18 requires the service organization to implement a vendor management program, assess risk annually and to monitor the complementary user controls at the subservice organizations. The service auditor will test the applicable controls and document the reliability of the data used for testing.

What is the difference between a Type 1 and a Type 2 Service Organization Report?

• Type 1 – Report on management’s description of a service organization’s system and the suitability of the design of controls as of a point in time.

• Type 2 – Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over a specified period of time.

What is a system description?

Management of a service organization is responsible for preparing the description of the service organization’s system, including the completeness, accuracy and method of presentation of the description. The system description includes the procedures within both manual and automated systems, by which services are provided, including procedures by which transactions are initiated, authorized, recorded, processed, corrected as necessary and transferred to reports and other information prepared for user entities.

Why would a service organization want a SOC 2 or SOC 3 report?

Because the SOC 2 and SOC 3 reports are based on predefined criteria, user entities may ask for a SOC 2 or SOC 3 report to provide them with assurance that controls are in compliance with industry standards. In addition, some companies use service providers for activities not relevant to the audited financial statements. Because a SOC 1 report can only be used for processes related to internal control over financial reporting, user entities may request a SOC 2 or SOC 3 report for assurance that the predefined controls (TSP 100) are in place.

What is the difference between a SOC 2 and SOC 3 report?

The main difference between a SOC 2 report and a SOC 3 report is a SOC 2 report contains a detailed description of the service auditor’s tests of controls and results of those tests, as well as the service auditor’s opinion on the description of the service organization’s system and is generally a restricted-use report. A SOC 3 reports on the same information as a SOC 2 report. The main difference between the two is that a SOC 3 is intended for a general audience. These reports are shorter and do not include the same details as a SOC 2 report.

Can I get more than one report?

Yes. Because the same criteria are used for SOC 2 and SOC 3 reports, many service providers will choose to do both. Service providers that need a SOC 1 (because their services are relied upon by their clients’ financial auditors), but still want to provide assurance they meet the predefined trust services criteria, may find it advantageous to align their SOC 1 controls with the predefined Trust Services criteria. While the reports cannot be combined, certain testing performed in each engagement may provide evidence for the other engagements. This simplifies the compliance process for the service provider and allows the service provider to offer all three reports to its clients, in addition to using the SOC 3 for marketing purposes.

How do I get started?

Before committing to a comprehensive SOC examination, we can help you with a readiness assessment. The purpose of a readiness assessment is to assist with the following:

  • Determine the boundaries to be included in the engagement
  • Assistance with the system description for SOC 1, SOC 2 and SOC 3
  • Assistance with the determination of the control objectives and the control activities (SOC 1)
  • Assistance with the determination of the control activities related to the Trust Services Principles (SOC 2 and SOC 3)
  • Assistance with the description of the cybersecurity risk management framework (SOC for cybersecurity)
  • Determine if there are control weaknesses present
  • Recommendations for remediation

The advantage of performing a readiness assessment prior to the SOC examination will give management an opportunity to remediate or implement controls to achieve the control objectives.

What is SOC 2 + Additional Subject Matter?

The service organization has the option to include additional subject matter related to the service organization’s services.

Additional subject matter examples are as follows:

  • Cloud Security Alliance (CSA)
  • HITRUST
  • COBIT5
  • COSO 2013 Framework
  • ISO 27001
  • NIST800-53 R4

The service organization provides appropriate supplementation description of the additional subject matter, a description of the criteria used to measure and present the subject matter, and finally if the criteria are related to controls, a description of the controls intended to meet the control-related criteria and an assertion by management regarding the additional subject matter.

What is SOC for cybersecurity?

SOC for cybersecurity is a reporting framework to help organizations effectively communicate with key stakeholders on their cybersecurity risk management program and the effectiveness of controls within that program. SOC for cybersecurity is an examination engagement performed by independent CPAs (practitioners) on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, there are two distinct but complementary subject matters: (a) the description of the entity’s cybersecurity risk management program, and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. A cybersecurity risk management examination results in the issuance of a cybersecurity risk management examination report that is for general use.

Latest Insights

July 13, 2018
Article
Here are some idea for giving your new hire a smooth start into your business and alleviating stress for you.
July 13, 2018
Article
The impact of the recent SCOTUS Wayfair decision will continue to have a ripple effect on businesses and state sales tax compliance.
July 9, 2018
Article
The revenue cycle is a complex system and we have historically given much attention to the front-end and back-end while oftentimes leaving the middle functions of the cycle neglected.
July 3, 2018
Article
FASB Accounting Standards Codification Topic 606, Revenue from Contracts with Customers, provides a 5-step framework for determining revenue recognition.
July 2, 2018
Article
As part of the Tax Reform Act of 1986, the “Kiddie tax,” a taxing regime designed to make the transfer of income items by wealthy parents to lower tax paying children less attractive, was implemented.
July 2, 2018
Article
When it comes to your employees, you likely conducted interviews on them when you first hired them.
July 2, 2018
Article
Nearly ten years after the release of the initial exposure draft, FASB issued ASU 2016-02, Leases - The standard may have been issued, but the conversation about this re-write of legacy guidance has not slowed.
June 29, 2018
Article
Banks look at three broad categories when considering small business financing: business cash flow, personal financial strength, and collateral value.
June 28, 2018
Article
You need to be cautious when entering into a bartering relationship and remember to track everything and the key to accounting for bartering is making sure you still record the income earned and expenses incurred.