Assurance and Advisory Services

SOC for Service Organizations: Information for Users and User Entities 

Many companies function more efficiently and profitably by outsourcing tasks or entire functions to service organizations that have the personnel, expertise, equipment, or technology to accomplish these tasks or functions. Examples of such services include cloud computing, managed security, health care claims management and processing, sales force automation, etc. Although user management can delegate these tasks or functions to a service organization, they are usually held responsible by those charged with governance (for example, the board of directors), customers, shareholders, regulators and other affected parties for establishing effective controls over those outsourced functions. The following SOC for Service Organizations reports provide user management with the information they need about the service organization’s controls to help assess and address the risks associated with an outsourced service:

SOC 1®– SOC for Service Organizations: ICFR – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting

These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.

There are two types of reports for these engagements:

  • Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
  • Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Use of these reports is restricted to the management of the service organization, user entities, and user auditors.

SOC 2® - SOC for Service Organizations: Trust Services Criteria – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:

  • Oversight of the organization
  • Vendor management programs
  • Regulatory oversight

Similar to a SOC 1 report, there are two types of reports : A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.

SOC 3®— SOC for Service Organizations: Trust Services Criteria for General Use Report

These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy , but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed.

SOC 2 User Guide 

AICPA and ISACA have jointly released  the SOC 2 User Guide for Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy,  to provide user entities with the information they need when interpreting the SOC 2® reports received from service organizations.  The guide is intended for those evaluating a service organization’s SOC 2® report as part of a governance, risk and compliance (GRC) program; vendor assessment; security evaluation; business continuity plan or other control evaluation. It may also be useful to those considering requesting a SOC 2® report from an existing vendor that does not currently provide a report or a new vendor as part of the due diligence or request for proposal (RFP) process. For information on SOC 2 User Guide, visit www.isaca.org.

Additional Resources 

Understanding How Users of Service Organizations Would Make Use of a SOC for Service Organizations SOC 2® Report, provides guidance to users entities on the factors they should consider when evaluating the relationship of the controls being reported on in the SOC 2® report to their environment. Examples of outsourced services include cloud computing, managed security, customer support etc.
© 2017 Association of International Certified Professional Accountants. All rights reserved.