The Basics of SOC Reports and Management’s Responsibility
What is a SOC Report?
If you have been through an audit, chances are your auditors have asked you to request Service Organization Controls (SOC) reports. Even though these reports have been around for quite some time, auditors still encounter puzzled looks when making these requests. They have their roots in historical “SAS 70” reports, which were issued in accordance with the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards (SAS) No. 70, Service Organizations. SAS 70 was the authoritative guidance for nearly two decades, before it was replaced by Statement on Standards for Attestation Engagements (SSAE) No. 16 in 2011. SSAE 16 was issued to update the standard for certain service organizations that are outside the scope of SAS 70, to include a written assertion by management, and to align it with the international service organization reporting standard.
In a nutshell, SOC reports are used to document an independent third-party’s examination of a service provider’s control environment. An example of a common arrangement is a service provider who provides cloud-based data processing or storage services to its client, which is referred to as a user entity. The ability of that service provider to accurately process transactions and protect the user entity’s data is of great interest to the user entity, its management, and anyone whose records are shared by the service provider and the user entity. If the data involves financial information generated by the service provider and then used by the user entity, anyone relying on the entity’s financial statements (lenders, investors, etc.) is knowingly or unknowingly relying on the integrity of the service provider’s results. This in turn should be of great interest to the user entity’s management. SOC reports are designed to address those concerns.
The different types of SOC Reports
There are three types of SOC reports. SOC 1 reports fall under SSAE 16 and specifically address internal controls over financial reporting. There are two types of SOC 1 reports. Type I reports provide a description of the service organization’s controls and management’s assertion regarding the design and implementation of these controls. The auditor’s test work and opinion are as of a point in time (i.e. June 30, 20XX). A Type II report provides the same information plus it covers the operating effectiveness of these controls over a period of time (typically six months to a year). As a result, more test work is required by the auditor. Details of the auditor’s tests of controls and results are provided in the report, and the report carries significantly more weight than a Type I. Your financial statement auditors are typically looking for SOC 1 Type II reports.
SOC 2 reports are not performed in accordance with SSAE 16, but instead fall under the guidance of the AICPA’s Attestation Standards (AT) Section 101. Similar to SOC 1 reports, they may provide assurance on the suitability of design and operating effectiveness of a service organization’s controls (Type I and Type II); however, they address controls related to security, availability of data, processing integrity, confidentiality and privacy. These reports are becoming increasingly common as industries such as cloud computing and Software as a Service (SaaS) continue to grow.
SOC 3 reports (formerly Trust Services reports) also fall under AT Section 101 and are essentially a less robust version of the SOC 2 report. These reports are available for general use and distribution (SOC 1 and SOC 2 reports are typically restricted). SOC 3 reports are only performed as Type I reports and do not contain details of the auditor’s testing and results.
Management’s responsibility
A large percentage of companies outsource at least one function to a service organization. This may include, but is not limited to, payroll processing, cloud computing, investment custody and loan processing. While it may seem as though obtaining SOC reports is just checking a box for the auditors, management should already be reviewing these as part of their own due diligence and ongoing vendor management. Even though management may be outsourcing certain functions, they cannot outsource their responsibility for making sure that effective controls over these functions are in place. The board of directors, customers, regulators, and others hold management responsible for assessing and addressing the risks associated with the outsourced function.
Management should be reviewing SOC reports to gain an understanding of the service organization they are utilizing. By outsourcing a function to a service organization, they have potentially exposed the company to additional risks; it is important that they understand those risks in order to mitigate them.
Management should review the results of tests performed for any exceptions, and to ensure that any exceptions have been properly addressed by management of the service organization.
Finally, it is critical that management review and understand the complementary user entity controls. These are controls for which management of the company, not the service organization, are responsible. Many of the service organization’s control objectives depend on having these user entity controls in place.
Changes on the horizon
In April 2016, the AICPA issued SSAE 18, Attestation Standards: Clarification and Codification, which will replace SSAE 16 effective May 1, 2017 (early adoption is permitted). SSAE 18 provides guidance for all attestation engagements, whereas SSAE 16 was specific to service organizations. While changes are not significant, it is worth noting that SSAE 18 provides guidance regarding subservice organizations, as more service organizations are outsourcing certain functions to their own subservice organizations. Service organizations will be required to implement a system to ensure monitoring of controls at subservice organizations and will include complementary subservice organization controls in the report.
For more information on SSAE 18, please visit the AICPA website.
If you have any questions, please call your BNN advisor at 800.244.7444
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.
