SOC for Service Organizations 


SOC for Service Organizations are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.

CPAs Users & User Entites
Service Organizations

Provides information to user auditors and service auditors on understanding and performing SOC for service organization engagements.

Provides information to user entities on how to mitigate the risks associated with outsourcing services.

Provides information to service organizations on building trust and confidence in their systems.





 SOC for Service Organizations Guides and Publications
 
Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are intended for use by CPAs to  provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or for SOC 2® and SOC 3® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1®)

This updated and improved guide is designed to help CPAs effectively perform SOC 1® engagements under AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, of Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification.

Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®)

The SOC 2®guide provides “how-to” guidance for service auditors performing examinations under AT section 101, Attest Engagements (AICPA, Professional Standards), to report on a service organization’s controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy. It includes a new comprehensive illustrative type 2 SOC 2® report  and expanded information on unique challenges and risks service auditor will encounter in performing SOC 2® or SOC 3®engagements for cloud computing service organizations.

Attestation Standards

This 2017 edition of AICPA Codification of Statement on Standards for Attestation Engagement includes the newly clarified Statements on Standards for Attestation Engagements in SSAE No. 18, Attestation Standards: Clarification and Recodification. Redrafted in accordance with the clarity drafting conventions and differentiated from the extant standards by using the identifier “AT-C”, the attestation standards are easier to read, understand, and apply by establishing objectives and definitions in each AT-C section, and separating requirements from application and other explanatory material.

Some of the more significant changes introduced by SSAE No. 18 include (among other changes):
  • Separation of procedural and reporting requirements for review engagements from their counterparts for examination engagements
  • Required representation letters
  • More robust risk assessment for examination engagements SSAE
No. 18 supersedes all of the extant attestation standards with the following exceptions:
  • AT 501,An Examination of an Entity’s Internal Control Over Financial Reporting That is Integrated With An Audit of Financial Statements
  • AT 701, Management’s Discussion and Analysis

SOC for Service Organizations Resources

Mapping of the 2017 Trust Services Criteria to Extant 2016 Trust Services Principles and Criteria

Illustrative Management Assertion and Service Auditor's Report for a Type 2 Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity and Confidentiality
This illustrative tool is intended as an example of management’s assertion and a service auditor’s report in a SOC 2 Type 2 engagement under the clarified Attestation Standards. It is an interim tool for use by practitioners while the SOC 2 guide is under revision and is subject to change in the final version of the guide that is scheduled for publication late 2017.

 SOC 2® + Additional Subject Matter

 Learn about additional considerations when a service organization requests that the service auditor’s report address either criteria in addition to the applicable trust services criteria or additional subject matter related to the service organization’s services using additional suitable criteria related to that subject matter, or both. This section also includes information about the following service offerings:

  • SOC for Service Organizations: SOC 2(R) HITRUST
  • SOC for Service Organizations: SOC 2(R) CSA STAR Attestation
SOC for Service Organizations Reports, Logos, Toolkits, Peer Review Requirements, and Other Related Information

SOC for Service Organizations Continuing Professional Education

SOC for Service Organizations School: Conducting Successful Engagements

  • SOC for Service Organizations School is designed to educate CPA practitioners who want to learn how to provide best in class services related to the effectiveness of controls at a service organization that impact their clients internal controls over financial reporting (SOC 1®), and controls at a service organization related to information privacy, security, confidentiality, availability and processing integrity (SOC 2® and SOC 3®). CPA Practitioners who attend the SOC for Service Organizations school will gain a deeper understanding of SOC for Service Organizations guidance, common practice issues, and will leave with the foundational knowledge to effectively perform these engagements.

Visit http://www.cpa2biz.com/soc to learn more.






Copyright © 2006-2017 American Institute of CPAs.