Who Can Sign a SOC Report?
System and Organization Control (SOC) reports have continued to become a valued piece of an organization’s internal controls and information technology (IT). When it comes to these reports, a common question that gets asked is who can sign a SOC report?
A SOC report can be either a SOC 1, SOC 2, or SOC 3 report and is signed by a Certified Public Accountant (CPA) firm. SOC reports were developed by the American Institute of Certified Public Accountants (AICPA) and outlines the requirements to be SOC compliant.
SOC Report Sections
This first section in a SOC report is the Independent Auditors opinion. This a letter to the organization that is signed by the independent auditor and outlines the scope, the organization’s responsibilities, the independent auditor’s responsibilities, inherent limitations of the report, description of tests performed, and the opinion, along with restrictions of the report’s use. In order to perform an SOC audit, only a licensed CPA firm is able to perform that service and the signer on the audit must be a CPA. When deciding on a SOC 2 auditor, several factors should be considered, including technical expertise and knowledge, as well as qualifications and credentials, reputation, and cost.
The second section of a SOC report is the Management assertion. In this section, a letter is presented that is signed by the organization. It is a requirement for SOC audits that the organization designate individuals, often senior management or leaders in the organization, to sign the Management assertion. This section includes references to the scope, the provided description from management, and an assertion noting that the report itself is accurate and does not omit any known information for the period being assessed. This section can vary between SOC 1 and SOC 2 reports, but assertions are required regardless of the type of SOC audit.
In addition to the report, independent auditors request that the organization designate an individual to sign a representation letter prior to issuing the final SOC report. This representation letter includes references to information provided, evidence, inquiries, any noted fraud, or other items noting the information provided is accurate, complete, and nothing was omitted.
In summary, both the auditing firm and the organization being audited must sign the SOC report, with the organization signing the Management Assertion and Representation and the auditor signing the independent Auditors opinion within the SOC report. This provides the users of the SOC report with assurance that the controls within the report and the testing performed are complete and accurate.
For more information, be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding SOC 2 reports and our services.
About the Author
Chris joined McKonly & Asbury in 2019 and is currently a Manager with the firm. He is a member of the firm’s System and Organization Controls (SOC) & Technology consulting practice, performing SOC 1, SOC 2, and SOC 3 engagements, as… Read more