Five years after the AICPA introduced the Service Organization Control (SOC) reports, I continue to field lots of questions about SOC and its different "flavors."
In fact, I am seeing even more interest in SOC today than I have since it was introduced. Why? Pretty simple really. The rapid migration of business to the cloud is bringing massive amounts of data along with it. Concerns about the privacy and security of that data are prompting businesses to seek assurance about the policies and practices of vendors that host, transmit, and otherwise handle sensitive business material. This search for assurance is casting a huge spotlight on Service Organization Control reports.
With that in mind, I believe it's a good time to revisit a column I wrote four years ago about SOC. The basic descriptions of SOC still apply, but I have included a number of updates to add perspective on SOC and reflect changes in the reports and their attestation standards.
Why don't we start with a basic definition? Service Organization Control reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.
This article provides an overview of SOC 1, SOC 2, and SOC 3 reports, explaining when and why to use each one.
Purpose of SOC reporting
To best understand SOC reports, it's helpful to know why the AICPA created them. The past several years have seen rapid growth in the number of businesses outsourcing various functions to service organizations such as cloud computing providers. A few examples of the types of services provided by service organizations are customer support such as post-sales support and service management. Sales force automation is another example of a service provided by a service organization. Service organizations may provide health care claims and processing for user entities. Managing, operating, and maintaining user entity IT data centers, infrastructure, application systems, and related systems are also functions that service organizations may fulfill. They may also manage access to networks and computing systems for user entities.
Other examples of traditional services provided by service organizations include payroll processing and medical claims processing; relatively newer services include human resources, document management, workflow, and tax processing. The growth in outsourcing has been fueled by a number of factors, including pressure to improve operational costs, an increasingly virtual workforce, and a lack of internal resources to support a process or function.
There are two distinct roles that characterize and identify a SOC report recipient: service or user entities. An organization that provides services to other organizations or entities is referred to as a service organization, and organizations or entities that use the services of service organizations are called user entities.
The rise of cloud computing has played a key role in the number of businesses that outsource functions to service organizations. Because the cloud consists of servers accessible through the internet, cloud computing providers can offer user entities access to applications, data storage, and numerous other computing functions on a pay-as-you-go basis. This model often proves more convenient and cost effective for user entities, which are happy to shed the cost, time, and risk associated with having to buy software licenses and pay for the purchase and maintenance of servers.
In many of these outsourcing situations, user entities submit personal or confidential customer information to service organizations for processing or storage. A breach in privacy practices may occur while such information is at the service organization. Even though the breach may occur while the information is at the service organization, the user entity continues to retain responsibility for protecting such information. Such liability concerns and the growth in outsourcing have elevated the marketplace demand for assurance regarding the confidentiality and privacy of information processed by a service organization's system.
When assessing controls at a service organization that may be relevant to and also affect the services provided to the user entity, management of the user entity may request that the service organization provide a service auditor's report on a description of the service organization's system and the design and operating effectiveness of controls over the service organization's system that may be relevant to the security, availability, or processing integrity of the system or the system's ability to maintain the confidentiality or privacy of the information processed for the user entity. Obtaining a service auditor's report from a service organization provides management of the user entity with useful information in assessing risk but does not relieve the user entity of responsibility for risk.
The 'flavors' of SOC
The AICPA's Auditing Standards Board (ASB) has completed clarifying Statements on Standards for Attestation Engagements (SSAEs). The attestation standards establish requirements for performing and reporting on examination, review, and agreed upon procedures engagements that enable practitioners to report on subject matter other than financial statements. The attestation standards are codified into sections using the identifier "AT-C."
AT-C section 105 addresses Concepts Common to all Attestation Engagements. AT-C section 205 addresses Examination Engagements. AT-C section 320 addresses Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting. SP section 100 (Trust Services Principles and Criteria) provides criteria for evaluating controls related to security, availability, processing integrity, confidentiality, and privacy, for a SOC 2 engagement.
Similar to a SOC 2 engagement, a SOC 3 engagement is an examination engagement in which the practitioner reports on the suitability of design and operating effectiveness of controls over a system using the trust services criteria.
SOC 1 and SOC 2 both have type 1 and type 2 report options, as explained in more detail below.
SOC 1
- In its simplest form, SOC 1 is a report on controls at a service organization relevant to a user entity's internal control over financial reporting. A type 1 report focuses on a description of a service organization's system and on the suitability of the design of its controls to achieve the related control objectives included in the description, as of a specified date. A type 2 report contains the same opinions as a type 1 report with the addition of an opinion on the operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. A type 2 report also includes a detailed description of the service auditor's tests of controls and results.
- Use of the report is restricted to the management of the service organization, user entities, and user auditors.
SOC 2
- Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
- Uses the trust services criteria.
- Similar to SOC 1 in that a type 1 or type 2 report is available.
- Includes a description of the service auditor's tests of controls and results.
- Use of the report "generally" is restricted.
SOC 3
- This is a trust services report for service organizations.
- Covers the same subject matter as SOC 2.
- Does not include a description of the service auditor's tests of controls and results. Also, the description of the system is less detailed than the description in a SOC 2 report.
- The use and distribution of the report is NOT restricted.
The AICPA has approved two logos that service organizations and CPAs may use in marketing their services related to SOC engagements. These logos may be used in promotional material or displayed on a website.
For CPAs who provide SOC 1, SOC 2, or SOC 3 engagements, the only logo approved for use is:
For service organizations that have received a SOC 1, SOC 2, or SOC 3 report issued within the past year, there is also only one logo that may be used. The logo approved for use is:
For more information, the AICPA has resources available at aicpa.org/SOC.
Conclusion
Demand for SOC reports should increase in the coming years because of continued growth in outsourcing. As we continue to outsource or consume technology as a service, obtaining and understanding the appropriate SOC report to help manage your IT risk is essential. To learn more, click here.
As the outsourcing grows, so do opportunities to conduct SOC assessments of service providers. This line of work can provide a fresh flow of revenue for accounting firms. CPAs are perfectly positioned to be the premier providers of SOC services in this space.
Editor's note: This is an update to a CPA Insider article originally published on June 11, 2012.
James C. Bourke, CPA/CITP/CFF, CGMA, is a partner at New Jersey-based accounting firm WithumSmith+Brown, where he is director of firm technology. He is past chair of the AICPA's CITP Credential Committee and the AICPA's Tech+ Conference. He also is a past member of the AICPA Board of Directors and Council and is a past president of the New Jersey Society of CPAs.
Service Organization Controls (SOC) School: Conducting Successful Engagements
Thank you for your interest. The AICPA is planning to offer Service Organization Controls (SOC) School: Conducting Successful Engagements again in the future, if you’d like to be notified when more details are available, please send an email to conferences@cpa2biz.com.
For additional resources, visit aicpastore.com/SOC
