Making Sense of SOC Reports
December 2, 2013
Regardless of the fact that the American Institute of Certified Public Accountants’ (AICPA) new standards for Service Organization Controls (SOC) have been around for a couple of years, we find that many businesses are asking, “What and why?”
SOC stands for Service Organization Control. A service organization is defined as an organization that provides services to “user entities.” These services are likely to be relevant
to their internal control for financial reporting. Thus, the term “user entity” simply refers to an organization using the services of a service organization.
Some common examples of service organizations are:
- Third-party vendors providing outsourced services to healthcare and financial services industries
- Credit card processing organizations and clearinghouses
- Medical claims processors
- Payroll processing companies and third-party administrators
- Managed IT service providers (web hosting, data processing, electronic records management)
HOW SOC CAME ABOUT
What many people don’t realize is that the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) has now replaced the Statement on Auditing Standards No. 70, or SAS 70. SSAE 16 provides guidance for an audit of the controls that are relevant to the financial statements of the service organization. An engagement under this standard is considered an SOC 1 engagement. Additionally, there are now two other reports, SOC 2 and SOC 3, which give the ability to report on non-financial controls. These two reports fall under the AT-101 standard.
WHAT’S THE DIFFERENCE IN THE REPORTS?
SOC 1 is a restricted use report on management’s description of the service organization’s internal control system. It includes a detailed understanding of the design of controls at that service organization. The tests are performed by the service auditor to support the conclusion on the operating effectiveness of those controls. The report can be as of a specific date (Type 1) or throughout a specified period (Type 2).
SOC 2 is a generally restricted use report that addresses controls at a service organization that are pertinent to the Trust Services Principles (TSP) of:
- Security – is the system protected against unauthorized access (both physical and logical)?
- Availability – is the system available for operation and use as committed or agreed?
- Processing integrity – is the system processing complete, accurate, timely and authorized?
- Confidentiality – is the information designated as confidential protected as committed or agreed?
- Privacy – is the personal information collected, used, retained, disclosed and destroyed in conformity with the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAAP) issued by the AICPA and the Canadian Institute of Charted Accountants (CICA)?
In an SOC 2 report, management identifies one or more of the TSP that it believes it has achieved and the criteria upon which it will base its assertion of achievement. The report can either be for a specified date (Type 1) or throughout a specified period (Type 2).
Organizations trying to limit liability and manage risk should look to do business with vendors who are performing an SOC 2.
An SOC 3 report is documented in a similar manner to an SOC 2 report and for similar types of companies. However, it does not include the detailed description of the system or the tests of controls and related test results found in an SOC 2. It also allows the service organization to use the SOC 3 seal on its website, which many organizations are using as a marketing tool to differentiate themselves from their competitors.
Below is a table that serves as a quick reference to the various SOC reports and their purposes.
Type of Report: SOC 1
What is it? Reports on the controls of the service organziation relevant to the user entities’ internal control over financial reporting
Why do I need it? To provide to user entities for their audited financial statements
Type of Report: SOC 2
What is it? Reports on controls of the service organization relevant to one or several Trust Service Principles (security, availability, processing integrity, confidentiality and privacy)
Why do I need it? To provide oversight of and due diligence for the service organization controls
Type of Report: SOC 3
What is it? Reports on the same controls as an SOC 2 with a less detailed report
Why do I need it? For marketing purposes when a detailed report is not needed