A CPA may be engaged to examine and report on controls at a service organization related to various types of subject matter, for example, controls that affect user entities’ financial reporting or controls that affect the security, availability, and processing integrity of the systems or the confidentiality or privacy of the information processed for user entities’ customers. The applicable attestation standard for such engagements may vary depending on the subject matter. To make CPAs aware of the various standards available to them for examining and reporting on controls at a service organization, and to help CPAs select the appropriate standard for a particular engagement, the AICPA has introduced SERVICE ORGANIZATION CONTROLSM Reports and identified 3 different engagements (SOC 1, SOC 2 and SOC 3) that involve reporting on controls at a service organization. The table below identifies feature of each of these engagements.
In the attestation standards, a CPA performing an attestation engagement ordinarily is referred to as a practitioner. However, for SOC engagements the term service auditor rather than practitioner is used to refer to a CPA reporting on controls at a service organization and an user auditor is a CPA who audits and reports on the financial statements of a user entity.
|
|
SOC 1SM Report
|
SOC 2SM Report
|
SOC 3SM Report
|
|
Controls affect user entities….
|
Financial statements
|
Security, availability, processing integrity confidentiality, or privacy
|
Security, availability, processing integrity, confidentiality, or privacy
|
|
Standard the engagement is performed under
|
SSAE No. 16 (AT 801, Reporting on Controls at a Service Organization)
AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization
|
AT 101, Attestation Engagements
AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
|
AT 101, Attestation Engagements
AICPA Technical Practice Aid, Trust Services Principles, Criteria, and Illustrations
|
|
Contents of the report package?
|
Description of service organization’s system.
CPA’s opinion on fairness of description, suitability of design and operating effectiveness of controls.
In type 2 report:
Description of CPA’s tests of controls and results
|
Description of service organization’s system.
CPA’s opinion on fairness of description, suitability of design and operating effectiveness of controls.
In type 2 report:
Description of CPA’s tests of controls and results.
|
CPA’s opinion on whether the entity maintained effective controls over its system.
A SOC 3 SysTrust for Service Organization seal can be posted on a service organization's website after issuance of an unqualified SOC 3 report. Practitioners must be licensed by the CICA to use this registered certification mark. For more information on licensure, go to www.webtrust.org
or contact Bryan Walker at Bryan.Walker@cica.ca
|
Click here for a detailed comparison of SOC 1SM, SOC 2SM and SOC 3SM Reports.
SOC Toolkits for Firms and Service Organizations
To help firms navigate this emerging service area, establish a niche practice and help clients, prospects and service organizations understand the benefits of SOC engagements, the AICPA has created a number of free resources and marketing materials in a helpful toolkit for firms. In addition, firms may want to use the components of the AICPA's SOC toolkit for service organizations to explain to current and potential clients their SOC services.
Peer Review
The AICPA Peer Review Board recently approved SOC 1 and 2 engagements as must select engagements. This means that if a firm performs SOC 1 or 2 engagements, at least one such engagement should be selected during its peer review. Further, someone on the peer review team should have corresponding SOC 1 or 2 experience. Refer to Peer Review Alert 12-04 regarding the treatment of SOC engagements in a peer review.
If you are interested in participating in peer reviews to review SOC engagements, please visit the following links:
Peer Review Team Member (CPA Required)
Non-CPA SOC Specialists
Additionally, the AICPA is looking for volunteers to participate in the approval process of peer reviews of firms that perform SOC engagements. Interested volunteers should contact the AICPA Peer Review Program technical staff at (919) 402-4502 or prptechnical@aicpa.org.