Assurance and Advisory Services

    Service Organization Controls (SOC) Reports for Service Organizations 

    Service Organization Controls (SOC) reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant.  Each type of SOC report is designed to help service organizations meet specific user needs:

    SOC 1SM Report – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SSAE 16) 

    These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user’ auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements. User auditors use these reports to plan and perform audits  of the user entities’ financial statements.   There are two types of reports for these engagements:  

    • Type 2 -  report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
    • Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. 

    Use of these reports is restricted to the management of the service organization, user entities, and user auditors.

    SOC 2SM Report— Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

    These reports are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect  the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the  confidentiality and privacy of the information processed by these systems . Examples of stakeholders who may need these reports are, management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.  Use of these reports generally is restricted to parties that have this understanding The AICPA Guide:  Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity,  Confidentiality, or Privacy (currently under development) provides guidance  for performing these engagements . These reports can play an important role in:

    • Oversight of the organization
    • Vendor management programs
    • Internal corporate governance and risk management processes
    • Regulatory oversight  

    Similar to a SOC 1 report there are two types of report : A type 2, report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1, report on management’s description of a service oranization’s system and the suitability of the design of controls. Use of these reports is generally restricted.

    SOC 3SM Report— Trust Services Report for Service Organizations

    These reports are designed to meet the needs of users who need assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems used by a service organization to process users’ information ,and the confidentiality, or privacy of that information, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. These reports are prepared using the AICPA/Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a SysTrust for Service Organizations seal. For more information about the SysTrust for Service Organization seal program go to www.webtrust.org.

    Unlike a SOC 1 report, which is only an auditor-to-auditor communication, SOC 2 Reports are generally restricted use report (at the discretion of the auditor using the guidance in the standard) and SOC 3 Report (in all cases) will enable the service organization to share a general use report that would be relevant to current and prospective customers or as a marketing tool to demonstrate that they have appropriate controls in place to mitigate risks related to security, privacy, etc.

  •  

    HOW TO IDENTIFY THE SOC REPORT THAT IS

    RIGHT FOR YOU

     

    Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements? 

     

    Yes

     

    SOC 1 Report

    Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation?    

     

    Yes

     

    SOC 1 Report

    Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems? 

     

    Yes

     

    SOC 2 or 3 Report

    Do you need to make the report generally available or seal? 

    Yes

    SOC 3 Report

    Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests?

     

     

     

    Yes

     

    SOC 2 Report

     

    No

     

    SOC 3 Report

  • AICPA Toolkit for Service Organizations
    To help service organizations better understand SOC services and educate current and potential customers on the reports on their controls, the AICPA has developed the
    SOC Toolkit for Service Organizations. All materials are available as free downloads.

    Copyright © 2006-2014 American Institute of CPAs.