Today, it is common for entities to outsource business tasks or functions to service organizations, even those that are core to an entity’s operations. Although user entities may rely on a service organization to perform outsourced tasks or functions, the user entity still retains responsibility (and the risks associated) for the service it provides to its customers. Examples of the services that service organizations provide include: cloud computing, managed security, health care claims management, etc.
This is a great marketplace-driven opportunity for the CPA profession. By engaging an independent CPA to examine and report on a service organization’s controls, service organizations can meet the information and assurance needs of user entities and also obtain an objective evaluation of a service organization’s controls that may affect user entities’ financial reporting, operations, or compliance.
The AICPA has established three service organization control (SOC) reporting options (SOC 1SM, SOC 2SM, and SOC 3SM reports) to meet the varying information and assurance needs of entities that use service organizations (user entities).
Quick Reference Guide to Service Organization Control Reports
This reference guide addresses key topics that may arise when user entities or service organizations are determining which type of SOC report best meet their needs. It is useful to present this reference when they are determining which report they’d like to request for.
IMTA Section members have access to the digital version (a $160 value!). The print version is available for purchase: IMTA Section members receive an additional 10% discount (off the price of $89.00 for 25 copies).
Service Organization Controls: Managing Risks by Obtaining a Service Auditor’s Report
The American Institute of Certified Public Accountants (AICPA) has long recognized the need for CPAs to understand the risks related to an entity’s use of service organizations.
Replacing SAS 70: New standards for engagements involving outsourcing
Guidance for CPAs who audit the financial statements of entities that outsource work to service organizations and those who report on controls at service organizations is being revamped and relocated.
Expanding Service Organization Controls Reporting: SOC 2 reports offer CPAs new opportunities to address clients' needs
The AICPA has developed the Service Organization Control (SOC) reporting framework. The framework is designed to help service organizations, their customers and CPAs understand the types of examination reports a CPA can issue related to service organization controls.