Assurance and Advisory Services

    SOC Reports Information for CPAs 

    SOC Logo for CPAsA CPA may be engaged to examine and report on controls at a service organization related to various types of subject matter, for example, controls that affect user entities’ financial reporting or controls that affect the security, availability, and processing integrity of the systems or the confidentiality or  privacy of the information processed for  user entities’ customers. The applicable attestation standard for such engagements may vary depending on the subject matter. To make CPAs aware of the various standards available to them for examining and  reporting on controls at a service organization, and to help CPAs select the appropriate standard for a particular engagement, the AICPA has introduced Service Organization Control Reports® and identified 3 different  engagements (SOC 1®, SOC 2® and SOC 3®) that involve reporting on controls at a service organization. The table below identifies feature of each of these engagements.

    In the attestation standards, a CPA performing an attestation engagement ordinarily is referred to as a practitioner. However, for SOC engagements the term service auditor rather than practitioner  is used to refer to a CPA  reporting on controls at a service organization and an user auditor is a CPA who audits and reports on the financial statements of a user entity. 
     

     

    SOC 1® Report

    SOC 2® Report

    SOC 3® Report

    Controls affect user entities….

    Financial statements

    Security, availability, processing integrity confidentiality, or privacy

    Security, availability, processing integrity, confidentiality, or privacy

    Standard the engagement is performed under

    SSAE No. 16  (AT 801, Reporting on Controls at a Service Organization)

    AICPA Guide Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting Guide

    AT 101, Attestation Engagements

    AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy

    AT 101, Attestation Engagements

    AICPA Technical Practice Aid, Trust Services Principles, Criteria, and Illustrations 

    Contents of the  report package?

    Description of service organization’s system.

    CPA’s opinion on fairness of description, suitability of design and operating effectiveness of controls.

    In  type 2 report:
    Description of CPA’s tests of  controls and results



    Description of service organization’s system.

    CPA’s opinion on fairness of description, suitability of design and operating effectiveness of controls.


    In type 2 report:
    Description of CPA’s tests of controls and results.

    CPA’s opinion on whether the entity maintained effective controls over its system. 

    Click here for a detailed comparison of  SOC 1®, SOC 2® and SOC 3® Reports.


    SOC Toolkits for Firms and Service Organizations

    To help firms navigate this emerging service area, establish a niche practice and help clients, prospects and service organizations understand the benefits of SOC engagements, the AICPA has created a number of free resources and marketing materials in a helpful toolkit for firms. In addition, firms may want to use the components of the AICPA's SOC toolkit for service organizations to explain to current and potential clients their SOC services.



    Peer Review

    The AICPA Peer Review Board recently approved SOC 1® and 2® engagements as must select engagements.  This means that if a firm performs SOC 1® or 2® engagements, at least one such engagement should be selected during its peer review.  Further, someone on the peer review team should have corresponding SOC 1® or 2® experience.  Refer to Peer Review Alert 12-04 regarding the treatment of SOC engagements in a peer review.

    If you are interested in participating in peer reviews to review SOC engagements, please visit the following links:
    Peer Review Team Member (CPA Required)
    Non-CPA SOC Specialists

    Additionally, the AICPA is looking for volunteers to participate in the approval process of peer reviews of firms that perform SOC engagements.  Interested volunteers should contact the AICPA Peer Review Program technical staff at (919) 402-4502 or prptechnical@aicpa.org.  


     

    Copyright © 2006-2014 American Institute of CPAs.