SOC for Service Organizations: Information for CPAS

SOC Logo for CPAsA CPA may be engaged to examine and report on controls at a service organization related to various types of subject matter, for example, controls that affect user entities’ financial reporting or controls that affect the security, availability, and processing integrity of the systems or the confidentiality or privacy of the information processed for user entities’ customers. The applicable attestation standard for such engagements may vary depending on the subject matter. To make CPAs aware of the various standards available to them for examining and reporting on controls at a service organization, and to help CPAs select the appropriate standard for a particular engagement, the AICPA has developed 3 different SOC for Service Organizations engagements (SOC 1®, SOC 2® and SOC 3®) that involve reporting on controls at a service organization. The table below identifies features of each of these engagements.

In the attestation standards, a CPA performing an attestation engagement ordinarily is referred to as a practitioner. However, for SOC for service organizations engagements the term service auditor rather than practitioner is used to refer to a CPA reporting on controls at a service organization and an user auditor is a CPA who audits and reports on the financial statements of a user entity.

 

Illustrative Comparison of a SOC 2® Examination and Related Report with The Cybersecurity Risk Management Examination and Related Report

Whitepaper - SOC 2® Examinations and SOC for Cybersecurity Examinations: Understanding the Key Distinctions

SOC for Service Organizations Toolkits for Firms and Service Organizations

To help firms navigate this emerging service area, establish a niche practice and help clients, prospects and service organizations understand the benefits of SOC engagements, the AICPA has created a number of free resources and marketing materials in a helpful toolkit for firms. In addition, firms may want to use the components of the AICPA's SOC toolkit for service organizations to explain to current and potential clients their SOC for service organizations services.

Peer Review

The AICPA Peer Review Board approved SOC for Service Organizations SOC 1® and SOC 2® engagements as must select engagements.  This means that if a firm performs SOC 1® or  SOC 2® engagements, at least one such engagement should be selected during its peer review.  Further, someone on the peer review team should have corresponding SOC 1® or  SOC 2® experience.  Refer to Peer Review Alert 12-04 regarding the treatment of SOC for service organizations engagements in a peer review.

If you are interested in participating in peer reviews to review SOC for Service Organizations SOC 1® and SOC 2® engagements, please visit the following links:

Additionally, the AICPA is looking for volunteers to participate in the approval process of peer reviews of firms that perform SOC for service organizations engagements.  Interested volunteers should contact the AICPA Peer Review Program technical staff at (919) 402-4502 or prptechnical@aicpa.org.