Using a SOC Report to Evaluate a Service Organization: Part 1

By Emily Antonico September 8, 2020

Are you using a service organization?

A service organization is an organization that performs some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting or that may be significant to operations.

Some examples of service organizations include:

• Payroll service providers
• Trust administrators
• Benefit plan administrators
• Health care claims management processors
• Financial reporting system hosting provider
• Enterprise IT outsourcing
• Sales force automation
• Managed security providers
• Customer support providers
• Cloud-based solution providers (Software-As-A-Service; Platform-As-A-Service)

What is a SOC report?

System and Organization Controls (SOC) Reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. There are various types of SOC reports with the two most prominent reports being the SOC 1 and the SOC 2. SOC 1 reports are reports over controls relevant to user entities’ internal control over financial reporting. SOC 2 reports are reports over controls relevant to security, availability, processing integrity, confidentiality, or privacy.

How to read a SOC report

SOC reports contain a plethora of information relating to the service organization, and it can be difficult to know what you should focus on when it comes time to perform your initial and ongoing due diligence over the service provider by reviewing the report. The remainder of this article is going to provide a high-level overview of the various parts of the SOC report.

Components of a SOC report

The components of a SOC report that you should review closely, which each provide specific information to support vendor due diligence, include:

• The service auditors’ report
• The content of the description, including either
  • The control objectives specified by management (SOC 1); or
  • The trust services categories selected by management (SOC 2)
• Any complementary user entity controls (CUECs) or complementary subservice organization controls (CSOCs) specified in the report, which are included as part of the description
• The results of the service auditors’ testing
• Other information presented by the service organization

The Service Auditors’ Report

The service auditors’ report is the core part of a SOC report, documenting the service auditors’ opinion rendered (unqualified, qualified) on the service organization’s system.

The Content of the Description

The description of the service organization’s system contains important information relating to the key processes and controls in place at the service organization. The description also includes the control objectives specified by management (SOC 1) or the trust services categories selected by management (SOC 2) as well as any CUECs or CSOCs specified by the service organization.

The Results of the Service Auditors’ Testing

This section includes all of the controls specified as necessary by the service organization and the related tests performed by the service auditor as well as the results of those tests.

Other Information Provided by the Service Organization

This section includes any information that the service organization thinks is important to the readers of the report.

The task of reviewing any of your service organizations’ SOC reports for initial and ongoing due diligence can seem daunting, but if you break it down into its individual components and focus on what is most important, you can perform your review efficiently and effectively.

Look forward to additional articles delving deeper into each of the above areas to come!

If you would like to discuss these matters further, contact Emily Antonico or your BNN advisor at 800.244.7444.