What Nonprofits Should Look for in a SOC 1 Report

April 16, 2018

Not-for-profit entities (NFPs) often outsource tasks such as payroll processing, cloud computing, and health care claims management and processing due to limited in-house resources and insufficient expertise in these areas to perform the required tasks efficiently. When tasks are outsourced, the NFPs are still responsible for establishing effective controls over those activities and, ultimately, the associated data. For example, when an NFP pays a third-party vendor to handle its payroll, it needs to know the service provider has the proper controls in place to meet its needs, such as fraud prevention, data security, and system integrity maintenance.

Many NFPs turn to System and Organization Controls (SOC) for Service Organizations reporting examinations[1] for this assurance. SOC is a suite of service offerings CPAs provide in connection with system-level controls of a service organization or entity-level controls of other organizations. The SOC 1® service is intended to meet the needs of user entities and their CPAs in evaluating the effect of the service organization’s controls on the user entities’ financial statements. SOC 1 reports can also help NFPs that are evaluating the feasibility of using a third-party service organization determine whether the vendor’s controls make sense for their situation.

SOC 1 reports are intended to provide assurance to users (i.e., an auditor’s opinion) that the system and organization controls for service organizations described are presented fairly, suitably designed, and operating effectively during the period covered by the report.

Types of Reports

A SOC 1 report provides detailed descriptions of controls at a service organization relevant to user entities' internal control over financial reporting. The report is issued in accordance with SSAE No. 18 for reports dated after May 1, 2017. There are two types of SOC 1 reports: Type 1 and Type 2. Both Type 1 and Type 2 SOC 1 reports describe certain controls that are already in place at the service organization.

Type 1
A SOC 1 Type 1 report provides assurance as of a specific date that controls described within the report are accurately presented and adequately designed for the operational environment of the service organization. The assurance is provided by the service auditor that examined the controls as of a specific date. A SOC 1 Type 1 report does not provide an NFP with assurance that the service organization’s controls are operating as intended for any specific period.

Type 2
A SOC 1 Type 2 report provides the same assurance as a Type 1 report, in addition to reasonable assurance that the controls are operating effectively for a period of time (typically six to 12 months). The service auditor tests the controls described in the report to see that they are operating effectively during the reporting period. For this reason, a SOC 1 Type 2 report helps reveal the strength of controls a service organization has in place.

When a SOC 1 report covers only a portion of the fiscal year, the service organization may provide a bridge letter that describes updates or changes in its system since the period covered by the previous Type 1 or Type 2 report to cover the rest of the fiscal year.   

Scope of the report

What is reported on in a SOC 1 report is critical to its usefulness. NFPs should review the report carefully to ensure that the services they contract for are covered in the report, as certain services offered by the third-party organization may be excluded from the scope of the report. Continuing with the payroll example, a SOC 1 report for the payroll processor report might cover collections and payroll processing, but it may not cover the controls that govern payroll taxes. Further, if the payroll processor outsources its computer software to a subcontractor (i.e., a subservice organization), then the controls that govern computer software updates are not handled by the service provider and those controls may not be within scope of the SOC 1 report.

The updated attestation standards governing SOC engagements (AT-C Section 320: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting) address the importance of disclosing the relationship between service organizations and subservice organizations. Under AT-C Section 320, service organizations should use the inclusive method or the carve-out method with respect to subservice organizations.

With the inclusive method, management’s description of the service organization’s system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization’s relevant control objectives and related controls. The report also states that the service auditor’s procedures included procedures related to the subservice organization.

With the carve-out method, management’s description of the service organization’s system identifies the nature of the services performed by the subservice organization but excludes the subservice organization’s relevant control objectives and related controls. The report also states that certain control objectives specified by the service organization can be achieved only if complementary subservice organization controls assumed in the design of the service organization’s controls are suitably designed and operating effectively, and that the service auditor’s procedures do not extend to such complementary subservice organization controls.

Scope limitations of the SOC 1 report can point to vulnerabilities. In the payroll example, the processor is relying on their subcontractor to update the software with the most recent tax rates. If the tax rates have not been updated in the software, then the processor is not calculating payroll correctly. NFPs should take care in reviewing the scope of the SOC 1 reports they’re relying on.

Opinion, exception, and complementary controls

In both Type 1 and Type 2 SOC 1 reports, the service auditor provides an opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives as of a specific date. A Type 1 opinion will acknowledge the controls were not tested for operating effectiveness over a period of time; a Type 2 opinion will indicate tests were performed to determine whether the controls were operating as intended for a specified period.

Some reports may come with a qualification that certain controls were not operating effectively. In the payroll tax example, a test of wire transfers to a state government might have resulted in a missed or incorrect transfer during the test. Such exceptions are detailed in the report when they are encountered.

Service auditors must disclose in the SOC 1 report any exceptions that occurred during testing, including the number of items tested along with the number and nature of the exceptions. For example, if a control indicates that the processor verifies pay rate changes via phone with an authorized individual and the testing identifies an instance where that didn’t occur, the SOC 1 report will show the number of changes tested, and the number of exceptions noted.

Complementary user entity controls also will be noted in a SOC 1 report. Complementary user controls are the actions the user entity must carry out for the service organization’s controls to achieve their control objectives. For example, an NFP must properly report hours worked for their payroll processor’s controls to work as intended. Thus, the NFP’s controls over the reporting of hours worked would be complementary user controls that would be indicated in the SOC 1 report.

Learning more about the information contained in a SOC 1 report can provide NFPs with critical knowledge about their service provider’s controls and how those controls could impact the NFP’s financial reporting.

As part of your organization’s financial reporting responsibility, make sure you’re obtaining the appropriate SOC 1 reports and verifying that the reports address the services being received or considered as part of the financial statement audit.

Additional Resources:

SOC Suite of Services
SOC for Service Organizations
SOC for Service Organizations Toolkit for Firms
SOC for Service Organizations Toolkit for Service Organizations
SOC for Cybersecurity
SOC CPE

[1]   In 2017, the AICPA introduced the term system and organization controls (SOC) to refer to the suite of services practitioners may provide relating to system-level controls of a service organization and system or entity-level controls of other organizations. Formerly, SOC referred to service organization controls. By redefining that acronym, the AICPA enables the introduction of new internal control examinations that may be performed (a) for other types of organizations, in addition to service organizations, and (b) on either system-level or entity-level controls of such organizations.