When a service organization engages a service auditor to perform a System and Organization Controls (SOC) report examination, it is important to note that there are required sections that every report must contain. But there are also many other facets that users of the report expect to be included in order for the users to get a clearer, broader picture of the system and its controls on which the report is based.
Primarily, users are interested in whether the service auditor’s opinion is unqualified or modified. Read the Our Thoughts On article for how a service organization should address a modified opinion in its SOC report here.
Beyond the opinion, a user of a report expects to see a clearly defined scope, so that they can determine whether the report includes the services that the service organization is providing to them, and a report period that is sufficient to meet their needs. The scope paragraph should list not only what is included in the scope of the report, but also what is excluded from the scope of the report. For example, if only certain locations of a service organization’s business are within the scope of the report, the report should clearly state the locations included and the locations excluded. Reports should be issued on a regular basis and should cover 6-12 months so that the users of the report can effectively rely on the controls for their intended use, whether it’s a financial statement audit or third party risk management activities.
Once the user has determined that the scope of the report is appropriate for the service they are receiving from the service organization, the user should also expect to see control objectives (in a SOC 1) or trust services criteria (in a SOC 2) that are appropriate for the service they are receiving. For example, if the service organization is a data center that is physically hosting a user entity’s IT infrastructure, the user should expect to see controls related to availability of the systems and physical and environmental security of the facilities.
Further, a user of a report expects the description of the system to be written in such a way that it is understandable to someone who either uses the system or represents a user of the system (e.g., a user entity’s auditor). Service organizations should avoid using highly technical jargon or acronyms that such users might not understand fully.
The description of the system should include any subservice organizations to whom the service organization has outsourced any part of its system as well as the complementary subservice organization controls that the service organization expected to be in place when designing and implementing their controls. Since a service organization can choose the inclusive method or the carve-out method of presenting a subservice organization, the report should communicate to the users whether the service auditor’s examination extended to the controls in place at the subservice organization.
Complementary user entity controls are another important facet of the description of the system because they communicate to the user entities what controls they must have in place and operating effectively in order for the service organization’s controls to operate effectively as well.
When a SOC report contains this type of information and appropriate level of detail, users can better understand the full picture of the service organization’s system for providing the in-scope service and can utilize the SOC report for their specified purposes.