Insights: Article

FAQ: System and Organizational Control (SOC) Reports

By Mary Jo Richard

December 28, 2017

What is a service organization and a user entity?

A service organization is an organization that provides services to its customers or others (user entities).

A user entity is the business that uses the services of a service organization.

What is the SOC suite of services?

System and Organization Controls (SOC) is a suite of service offerings CPAs may provide. The report on the controls at the service organization provides valuable information that users need to assess and address the risk associated with outsourced services.

  • SOC 1 – SOC for Service Organization: Internal Controls over Financial Report (ICFR)
  • SOC 2 – SOC for Service Organizations: Trust Service Criteria
  • SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report
  • SOC for Cybersecurity: Entity-Level Cybersecurity Risk Management program

Which SOC report applies to my organization?

SOC 1 – A report on internal control over financial reporting at a service organization.

SOC 2 and SOC 3 – A report on internal control related to information systems and data security, availability, confidentiality, processing integrity, and/or privacy at a service organization.

SOC for Cybersecurity – A report about the effectiveness of a service organization’s cybersecurity risk management program.

What additional characteristics distinguish SOC 1, SOC 2 and SOC 3?

A SOC 1 report is specifically designed to provide management of the service organization, user entities, and their independent auditors (user auditors) with information about the controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting. The SOC 1 report enables the user entities’ auditor to perform risk assessment procedures during the planning and performing of an audit of the financial statements. Use of the report is restricted to management, user entities and their independent auditors.

A SOC 2 report is specifically designed to meet the needs of a broad range of users including management of service organizations, user entities, and other specified parties. The SOC 2 report provides information about the internal controls at the service organization relevant to the Trust Services Principles and criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (as established by TSP 100). Use of the report is generally restricted.

A SOC 3 report is a public report. It provides interested parties with a service auditor’s opinion about controls at the service organization relevant to the Trust Services Principles and criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy.

How is SSAE 18 related to SOC?

The AICPA’s Auditing Standards Board (ASB), has revised all of the existing attestation standards by clarifying the Statements on Standards for Attestation Engagements (SSAEs) and issuing SSAE 18 Attestation Standards: Clarification and Recodification. Although SOC reports reference a new standard, we would not consider the revisions significant.

How do SSAE 16 (AT801), AT101 and SSAE 18 Differ?

SSAE 18 is the new standard for all attestation engagements, including the new SOC for cybersecurity.

SSAE 16 (AT 801) is the old standard for SOC 1 engagements.

The new guidance in SSAE 18 is as follows:

AT-C Section 105, Concepts Common to all Attestation Engagements

AT-C Section 205, Examination Engagements

AT-C Section 320, Reporting on the Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.

AT101 is the old standard for SOC 2 and SOC 3 engagements.

The new guidance is in SSAE 18 is as follows:

AT-C Section 105, Concepts Common to all Attestation Engagements

AT-C Section 205, Examination Engagements.

What changed with the issuance of SSAE 18?

The actual changes to a SOC engagements relate to the following:

  • Vendor management
  • Risk assessment
  • Complementary subservice organization controls
  • Reliability of data

SSAE 18 requires the service organization to implement a vendor management program, assess risk annually and to monitor the complementary user controls at the subservice organizations. The service auditor will test the applicable controls and document the reliability of the data used for testing.

What is the difference between a Type 1 and a Type 2 Service Organization Report?

• Type 1 – Report on management’s description of a service organization’s system and the suitability of the design of controls as of a point in time.

• Type 2 – Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over a specified period of time.

What is a system description?

Management of a service organization is responsible for preparing the description of the service organization’s system, including the completeness, accuracy and method of presentation of the description. The system description includes the procedures within both manual and automated systems, by which services are provided, including procedures by which transactions are initiated, authorized, recorded, processed, corrected as necessary and transferred to reports and other information prepared for user entities.

Why would a service organization want a SOC 2 or SOC 3 report?

Because the SOC 2 and SOC 3 reports are based on predefined criteria, user entities may ask for a SOC 2 or SOC 3 report to provide them with assurance that controls are in compliance with industry standards. In addition, some companies use service providers for activities not relevant to the audited financial statements. Because a SOC 1 report can only be used for processes related to internal control over financial reporting, user entities may request a SOC 2 or SOC 3 report for assurance that the predefined controls (TSP 100) are in place.

What is the difference between a SOC 2 and SOC 3 report?

The main difference between a SOC 2 report and a SOC 3 report is a SOC 2 report contains a detailed description of the service auditor’s tests of controls and results of those tests, as well as the service auditor’s opinion on the description of the service organization’s system and is generally a restricted-use report. A SOC 3 reports on the same information as a SOC 2 report. The main difference between the two is that a SOC 3 is intended for a general audience. These reports are shorter and do not include the same details as a SOC 2 report.

Can I get more than one report?

Yes. Because the same criteria are used for SOC 2 and SOC 3 reports, many service providers will choose to do both. Service providers that need a SOC 1 (because their services are relied upon by their clients’ financial auditors), but still want to provide assurance they meet the predefined trust services criteria, may find it advantageous to align their SOC 1 controls with the predefined Trust Services criteria. While the reports cannot be combined, certain testing performed in each engagement may provide evidence for the other engagements. This simplifies the compliance process for the service provider and allows the service provider to offer all three reports to its clients, in addition to using the SOC 3 for marketing purposes.

How do I get started?

Before committing to a comprehensive SOC examination, we can help you with a readiness assessment. The purpose of a readiness assessment is to assist with the following:

  • Determine the boundaries to be included in the engagement
  • Assistance with the system description for SOC 1, SOC 2 and SOC 3
  • Assistance with the determination of the control objectives and the control activities (SOC 1)
  • Assistance with the determination of the control activities related to the Trust Services Principles (SOC 2 and SOC 3)
  • Assistance with the description of the cybersecurity risk management framework (SOC for cybersecurity)
  • Determine if there are control weaknesses present
  • Recommendations for remediation

The advantage of performing a readiness assessment prior to the SOC examination will give management an opportunity to remediate or implement controls to achieve the control objectives.

What is SOC 2 + Additional Subject Matter?

The service organization has the option to include additional subject matter related to the service organization’s services.

Additional subject matter examples are as follows:

  • Cloud Security Alliance (CSA)
  • HITRUST
  • COBIT5
  • COSO 2013 Framework
  • ISO 27001
  • NIST800-53 R4

The service organization provides appropriate supplementation description of the additional subject matter, a description of the criteria used to measure and present the subject matter, and finally if the criteria are related to controls, a description of the controls intended to meet the control-related criteria and an assertion by management regarding the additional subject matter.

What is SOC for cybersecurity?

SOC for cybersecurity is a reporting framework to help organizations effectively communicate with key stakeholders on their cybersecurity risk management program and the effectiveness of controls within that program. SOC for cybersecurity is an examination engagement performed by independent CPAs (practitioners) on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, there are two distinct but complementary subject matters: (a) the description of the entity’s cybersecurity risk management program, and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. A cybersecurity risk management examination results in the issuance of a cybersecurity risk management examination report that is for general use.

Latest Insights

November 16, 2018
Video
If your business sells or operates in more than one state, it’s important to understand the concept of nexus. Depending on how you’re earning revenue, having nexus could impose a variety of taxes, which vary state to state. Learn more in our…
November 15, 2018
Article
Until recently, many businesses weren’t overly concerned about sales tax. They knew they needed to collect and remit in the state in which they resided, but beyond that, their compliance burden was limited.
November 12, 2018
Article
This insight explores what dealerships can expect from the proposed section 199A regulations under tax reform.
November 8, 2018
Article
Are you a business taxpayer with annual gross receipts of $25 Million or less? If so, you may be eligible to take advantage of new Small Taxpayer Safe Harbors that could generate significant tax savings and simplify your tax returns in future years!
November 8, 2018
Article
Considered the most significant tax code overhaul in over three decades, the Tax Cuts and Jobs Act passed in 2017 includes provisions affecting both individuals and businesses.
November 7, 2018
Recorded Webinar
State and local sales tax compliance is always evolving, making it important to stay up-to-date on changes affecting your tax liability and responsibilities. This session will cover what you need to know regarding the recently enacted state and…
November 7, 2018
Article
“Why is my portfolio underperforming the market?” This question may be on your mind.
November 5, 2018
Article
Identify your implementation methodology. There are four practical expedients available. We'll explore each option.
November 5, 2018
Article
Deeper dive into ASU 2016 liquidity.