In recent years, organizations have increasingly looked to outsourcing key business processes to service organizations as a way of reducing costs and improving efficiencies. In addition, with recent changes in technology outsourcing, including software as a service and other cloud based technologies have now become the norm instead of the exception for many organizations. Those increases in outsourcing have also increased the need for auditor reporting at service organizations to appropriately ensure that these service providers have adequate internal controls in place over the services they are providing to customers. The increased use of service organizations has also increased the demand for Service Organizations Controls (“SOC”) examinations. Service organizations are often being asked to provide their customers with a SOC report as part of the service level agreements with customers. As these requests from customers for SOC reports become more frequent, it has led to many questions as well as confusion. What is a SOC report? What type of SOC report should be performed at my organization? What does the SOC examination process entail? These questions are common and quite pervasive at service organizations, so we will address the basics of SOC reports and answer those questions.
What is a SOC report?
A SOC examination is one method for a service organization to externally communicate information about the effectiveness of its internal controls to users of its services and their auditors. SOC examinations access internal controls related to a specific process or system at the service organization such as transaction processing, data processing, or data hosting. A SOC examination is performed at a service organization to provide assurance to the users that a system of controls is in place at the service organization so that the specific customer objectives are being met by the service organization. In addition, the SOC examination will help to minimize the need for multiple auditors of the organization’s various users to test the same controls in performing the user audit. There are three types of SOC reports provided to service organizations, SOC 1, SOC 2, and SOC 3.
What type of SOC report does my organization need?
There are three types of SOC reports. The SOC 1 is a report issued in accordance with the Statement on Standards for Attestation Engagements (SSAE) 18 and focuses primarily on a service organization’s controls that are likely to be relevant to an audit of a user entity’s financial statements. Service organizations should determine the type of service that they are providing to user entities and determine if those services impact the user entities’ financial reporting. If the answer to that question is yes and the service organization performs services such as processing insurance claims or processing payroll transactions for customers, then the service organization will need a SOC 1 examination.
SOC 2 and SOC 3 reports address a service organization’s controls that relate specifically to operations and compliance, as defined by the AICPA’s Trust Services criteria in relation to availability, security, processing integrity, confidentiality, and privacy. SOC 2 and SOC 3 examinations are generally used for service organizations that are reporting on controls that are not deemed to be relevant to the user entity’s internal control over financial reporting. SOC 2 and SOC 3 reports are attestation examinations that require the service organization’s controls meet the specified Trust Service Criteria as defined by the AICPA. Service Organizations receiving a SOC 2 or SOC 3 can determine the scope of their SOC report by determining the specific trust principles that apply to them based on the services provided to their customers. A SOC 2 examination is a restricted to use report, which essentially means the report is restricted to use to the service organization’s management, customers, and prospective customers. In addition, the SOC 2 report includes an auditor’s opinion, management’s assertion, and a full description of the system as well as the service organization’s controls and the results of the auditor’s tests of those controls. The typical SOC 2 report includes substantial detail specifically related to which controls are in place at the service organization as well as how those controls were tested by the auditor. A SOC 3 report, on the other hand, is a general use report that can be distributed to any party or parties. In addition, the report is much smaller in size and consists of a brief auditor’s opinion, management’s assertion, and a brief narrative providing background on the service organization.
In addition to the SOC 1 and SOC 2 reports, there can also be a Type I or Type II examination. A Type I SOC report focuses on a description of a service organization’s control and the suitability of how the controls are designed to achieve the control objectives as of specified dates. A Type II SOC report contains the same opinions as a Type I but it adds an opinion on the operating effectiveness of the internal control objectives throughout a specified period. The Type I engagement consists primarily of walkthroughs and inquiries of controls. The Type II engagement includes not only walkthroughs of the design of the controls but also tests the operating effectiveness of the controls during the specified audit period.
What does the SOC examination process entail?
Service organizations often have substantial questions about the SOC examination process. In many cases, the organization does not know where the process should begin, what steps need to be taken, and documentation and level of effort required at the service organization. The first step prior to a service organization undergoing its first SOC examination is the readiness assessment. A readiness assessment allows for discussion and informal evaluation of your organization to determine your preparedness for a Type I or Type II SOC examination. This process allows your service organization auditor the opportunity to review your internal controls as well as audit readiness and make recommendations to you prior to attestation to help ensure your engagement goes smoothly. The readiness assessment will allow the service organization the opportunity to determine the type of SOC Engagement to be performed and the nature of the resulting SOC report. In addition, the service organization and the auditor can review the organization’s risk assessment and identify control objectives with management.
Upon completion of the readiness assessment, the service organization and the auditor will develop and establish a timeline for the Type I or Type II examination with dates of fieldwork, testing, and reporting. The service organization can expect the auditors to be on-site for interviews and testing of the operating effectiveness of key controls during the SOC reporting period. Upon completion of fieldwork and testing, the audit firm will draft the SOC report. The written sections will be reviewed by management for accuracy to ensure all relevant controls have been documented. Finally, a draft report is issued to the service organization’s management for review and comment and to provide written responses to any exceptions noted in the report for inclusion. The final SOC report is issued upon management’s review and approval.
McKonly & Asbury provides a full suite of SOC Services from readiness assessments as well as SOC 1, SOC 2, and SOC 3 Type I and Type II examinations to service organizations both locally and nationally. Our broad expertise allows us to perform SOC examinations on a variety of service organizations, including third-party service providers, payroll and benefits processors, datacenters, software development companies, cloud computing, and data and application hosting companies. For more information concerning your SOC reporting as well as services provided by McKonly & Asbury, please contact our team.