Service Organization Control Reporting

Today, it is common for entities to outsource business tasks or functions to service organizations, even those that are core to an entity’s operations. Although user entities may rely on a service organization to perform outsourced tasks or functions, the user entity still retains responsibility (and the risks associated) for the service it provides to its customers. Examples of the services that service organizations provide include: cloud computing, managed security, health care claims management, etc. 

This is a great marketplace-driven opportunity for the CPA profession. By engaging an independent CPA to examine and report on a service organization’s controls, service organizations can meet the information and assurance needs of user entities and also obtain an objective evaluation of a service organization’s controls that may affect user entities’ financial reporting, operations, or compliance.

The AICPA has established three service organization control SOC) reporting options (SOC 1®, SOC 2®, and SOC 3® reports) to meet the varying information and assurance needs of entities that use service organizations (user entities).