Key Fundamentals of Reviewing and Assessing Service Organization Control (SOC) Reports

Due Diligence |SSAE 18/SOC

By Holly Russo

A Service Organization Control (SOC) report is typically required by companies and their auditors that obtain significant services from another organization.  The auditors of the service organization’s customers can use the SOC report to gain an understanding of the internal controls in operation at the service organization.  SOC reports can also be used by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their financial audit.

There are numerous steps that users should perform to review and assess SOC reports.  While there may be additional elements to consider, the following are key factors that users should include in their assessments.

  • Determine the type of report (Type I or Type II)
  • Determine whether there are any modifications to the opinion - if the service auditor’s procedures reveal exceptions or control deficiencies, the service auditor may conclude that one or more control objectives could not be achieved due to a deficiency in design or operating effectiveness.  When this occurs, the service auditor “qualifies” the opinion.
  • Determine whether there are any differences between management’s assertion and the opinion.
  • Determine whether there are any relevant exceptions – whether or not the opinion is qualified, users should understand the nature of any exceptions noted in the report to determine whether they raise any concerns or result in additional risk exposure to user organizations.
  • Determine whether the controls are relevant to your needs - review the quality and completeness of the control objectives covered by the report and assess whether the scope of the report is adequate for reliance.  The control objectives should typically cover information technology and core processes impacting users’ financial statements.
  • Determine whether the user control considerations are addressed - if the user organization does not have the noted controls in place, it may warrant action by the user organization to implement suggested controls and/or determine if the user has other controls in place to mitigate the associated risks.
  • Assess the competency of the service auditor that performed the work - some due diligence is required to research the service auditor’s qualifications to determine whether the firm has adequate skills and assess the competency of the auditor by the quality of the controls tested. 

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.