If your organization (user) utilizes a service organization, chances are that you have heard of a service organization control report, better known as a SOC report. The AICPA has established three SOC reporting options (SOC 1, SOC 2, and SOC 3) to meet the varying information and assurance needs of user organizations that employ service organizations.
A SOC 1 report concludes on the internal controls over financial reporting at a service organization important to the user organization. Drawing from the criteria of Trust Systems Principles (TSP) 100, the AICPA also established SOC 2 and 3 examinations. Both SOC 2 and SOC 3 examinations address controls at a service organization related to the security, availability, processing integrity confidentiality, and/or privacy of the information processed on behalf of user organizations. The primary difference between SOC 2 and SOC 3 is that a SOC 2 report contains a detailed description of the service auditor’s tests of controls and results of those tests. A SOC 3 report is a general-use report (hybrid of SOC 2 report) that only reports on whether the system achieved the trust services criteria (no detailed description of tests and results is incorporated into the report).
Why are these reports so important?
The AICPA states the following in its SOC Quick Reference Guide:
“Management of a user entity is responsible for assessing and addressing risks faced by the user entity related to financial reporting, compliance with laws and regulations, and the efficiency and effectiveness of operations. When a user entity engages a service organization to perform key processes or functions, the entity exposes itself to additional risks related to the service organization’s system.
Although management of a user entity can delegate tasks or functions to a service organization, the responsibility for the service provided to customers of the user entity cannot be delegated. Management of the user entity is usually held responsible by those charged with governance (for example, the board of directors); customers; shareholders; regulators; and other affected parties for establishing effective internal control over outsourced functions.”
The report that is generated on behalf of the service organization by an independent auditor is intended to provide service organization’s users (i.e. customers) and their auditors assurance in regards to the outsourced services. In order to provide that level of assurance, there are several key points that should be taken into consideration when reviewing a SOC 1 or SOC 2 report.
The first thing is to identify what type of report has been received. In addition to the three SOC reports described above, there are also two different types of each report, a Type I and Type II. A Type I report addresses only the design of the system of controls in place, but does not opine on the operating effectiveness of the controls in the service organization environment; whereas, a Type II report does validate the operating effectiveness of the controls.
Does the type of SOC report and scope of the report address the risks to me and my organization?
Too often, users of SOC reports only pay attention to the opinion and if there are any testing exceptions within the report and ignore the actual scope of the report. In order to effectively use a report for its intended purpose, the user of the report must assess the services that are being outsourced or services being provided and determine what type of control failures at the service organization could potentially impact their organization. This will allow them to gauge if the controls included within the report are sufficient to provide comfort in regards to the service organization’s control environment.
The next area that should be assessed is the overall report opinion and the time period covered by the report. The report opinion is typically unqualified or qualified. An unqualified opinion means that the independent auditor was able to render an opinion successfully that the service organization’s controls are:
• operating effectively over a specified period of time;
• designed effectively; and
• presented fairly.
A qualified report opinion indicates that the independent auditor was unable to successfully determine that one or more particular control objectives were achieved.
After the scope, timing and opinion of the report have been reviewed, user organization management should next evaluate the user control considerations within the report. User control considerations (UCCs) are controls that must be in place at the user organization in combination with the control activities at the service organization in order for the control objectives to be achieved.
If no gaps in the control environment are identified based upon the required UCCs, the user should then review the description of the system to better understand the environment in place at the service organization and the detailed results of testing to ensure that the testing that took place was without exception and where exceptions were noted, that they are not cause for concern.
Other information provided by the service organization
In this section the service organization places relevant information to users that was not a part of the report scope. Content in this area may include disaster recovery and business continuity planning, as well as responses to testing exceptions reported and the corrective actions taken.
It is the user organization’s responsibility to request, obtain and review the SOC reports of its service organizations and validate that the report(s) address the appropriate services and controls to provide assurance that controls in place at the service organization are designed (Type I and II) and operating (Type II) effectively.
A user organization is placing itself in a position of undo risk if it is not proactively monitoring its vendors and requesting, obtaining and reviewing available SOC reports from its providers.
© 2012 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter