Assurance and Advisory Services

SOC for Service Organizations: Information for CPAS 

SOC Logo for CPAsA CPA may be engaged to examine and report on controls at a service organization related to various types of subject matter, for example, controls that affect user entities’ financial reporting or controls that affect the security, availability, and processing integrity of the systems or the confidentiality or privacy of the information processed for user entities’ customers. The applicable attestation standard for such engagements may vary depending on the subject matter. To make CPAs aware of the various standards available to them for examining and reporting on controls at a service organization, and to help CPAs select the appropriate standard for a particular engagement, the AICPA has developed 3 different SOC for Service Organizations engagements (SOC 1®, SOC 2® and SOC 3®) that involve reporting on controls at a service organization. The table below identifies features of each of these engagements.

In the attestation standards, a CPA performing an attestation engagement ordinarily is referred to as a practitioner. However, for SOC for service organizations engagements the term service auditor rather than practitioner is used to refer to a CPA reporting on controls at a service organization and an user auditor is a CPA who audits and reports on the financial statements of a user entity.

 

SOC 1® Report

SOC 2® Report

SOC 3® Report

Controls affect user entities….

Financial statements

Security, availability, processing integrity confidentiality, or privacy

Security, availability, processing integrity, confidentiality, or privacy

Standard the engagement is performed under

SSAE No. 18, Attestation Standards: Clarification and Recodification (AICPA, Professional Standards), which includes AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting.

AICPA Guide, Service Organizations: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1®)

SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements

AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy(SOC 2®)

TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria)

SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements



TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria)

Contents of the  report package?

Description of service organization’s system.

Management’s written assertion of the service organization regarding the description of the service organization’s system and the suitability of the design and the operating effectiveness of the controls

Service auditor’s report that contains an opinion on the fairness of of the description, and the suitability of the design and operating effectiveness of controls.

In a type 2 report, a description of the service auditor's tests of controls and the results of the tests

Description of service organization’s system.

Management’s written assertion of the service organization regarding the description of the service organization’s system and the suitability of the design and the operating effectiveness of the controls in meeting the applicable trust services criteria.

Service auditor’s report that contains an opinion on the fairness of the presentation of the description and the suitability of the design and operating effectiveness of the controls to meet the criteria.

In a type 2 report, a description of the service auditor’s tests of controls and the results of the tests

Service auditor’s opinion on whether the entity maintained effective controls over its system.



Illustrative Comparison of the Cybersecurity Risk Management Examination with a SOC 2® Examination and Related Reports

Under Development White Paper SOC 2® Examination Engagements and Cybersecurity Risk Management Examination Engagements: Understanding the Key Distinctions


SOC for Service Organizations Toolkits for Firms and Service Organizations

To help firms navigate this emerging service area, establish a niche practice and help clients, prospects and service organizations understand the benefits of SOC engagements, the AICPA has created a number of free resources and marketing materials in a helpful toolkit for firms. In addition, firms may want to use the components of the AICPA's SOC toolkit for service organizations to explain to current and potential clients their SOC for service organizations services.



Peer Review

The AICPA Peer Review Board approved SOC for Service Organizations SOC 1® and SOC 2® engagements as must select engagements.  This means that if a firm performs SOC 1® or  SOC 2® engagements, at least one such engagement should be selected during its peer review.  Further, someone on the peer review team should have corresponding SOC 1® or  SOC 2® experience.  Refer to Peer Review Alert 12-04 regarding the treatment of SOC for service organizations engagements in a peer review.

If you are interested in participating in peer reviews to review SOC for Service Organizations SOC 1® and SOC 2® engagements, please visit the following links:

Additionally, the AICPA is looking for volunteers to participate in the approval process of peer reviews of firms that perform SOC for service organizations engagements.  Interested volunteers should contact the AICPA Peer Review Program technical staff at (919) 402-4502 or prptechnical@aicpa.org.  


 

Copyright © 2006-2017 American Institute of CPAs.