Using a SOC Report to Evaluate a Service Organization: Part 2
What do I do with the service auditors’ report and management’s assertion?
This is a continuation of our Using a SOC Report to Evaluate a Service Organization series. In these articles we will delve further into the components of SOC reports. As a reminder, the components of a SOC report are included below. In this article we will discuss what to look for when reviewing the service auditors’ report and management’s assertion.
Components of a SOC report
The components of a SOC report that you should review closely, which each provide specific information to support vendor due diligence, include:
- The service auditors’ report
- Management’s assertion
- The content of the description, including either
- The control objectives specified by management (SOC 1); or
- The trust services categories selected by management (SOC 2)
- Any complementary user entity controls (CUECs) or complementary subservice organization controls (CSOCs) specified in the report, which are included as part of the description
- The results of the service auditors’ testing
- Other information presented by the service organization
The Service Auditors’ Report
The service auditors’ report is the core part of a SOC report documenting the rendered service auditors’ opinion (unqualified, qualified) on the service organization’s system.
There are two types of reports – a type 1 and a type 2. In both types of reports, the service auditor provides an opinion on the below items:
- Management’s description of the service organization’s system – The service auditor provides an opinion as to whether the system description is fairly stated (SOC 1) or whether the system description has been presented in accordance with the “description criteria” (SOC 2).
- The suitability of the design of the controls – The service auditor provides an opinion as to whether the controls, as designed, would provide reasonable assurance that the controls specified by the service organization would achieve the control objectives (SOC 1) or would achieve the service commitments and system requirements based on the trust services criteria (SOC 2).
Note: We will provide further clarity on control objectives and trust services criteria in future articles in this series.
In the case of a type 2 report, the service auditor will also render an opinion on the operating effectiveness of the controls over the specified reporting period.
To know if the report you are reading is a type 1 report or a type 2 report you can look at the period of time specified within the report. A type 1 report is as of a specified date and a type 2 report is throughout a specified period, such as over six or twelve months.
Sometimes the service auditor will include additional paragraphs within the service auditors’ report. An example of this is when the service auditor is issuing a qualified opinion and will add an “except for” paragraph explaining that the service auditor has rendered an unqualified opinion except for the items noted within the paragraph. If the qualification is due to an operating effectiveness issue, the specifics of the qualification can be found in the section of the report that contains the service auditors’ tests and results of testing. For example, if during the testing of monthly reconciliations the service auditor identified that the reconciliation was not prepared for certain months, the related finding (or exception) would be disclosed in the report.
Another example of an additional paragraph in the service auditors’ report is a “matter of emphasis” paragraph. A matter of emphasis paragraph is used by the service auditor to call attention to a matter that is of great importance and could be fundamental to the users’ understanding of the report. For instance, there may have been a certain set of controls that did not operate during the period covered by the report that the service auditor may have concluded are material for the report user to consider.
Finally, sometimes the service organization opts to include additional information in the SOC report to provide additional information to the users of the report. This information is not subject to examination by the service auditor and is included in a separate section of the report. Since the information is not subject to examination by the service auditor, an opinion on the information is disclaimed in the service auditors’ report.
Now that we have covered the service auditor’s report, let discuss management’s assertions. Management assertions are applicable for both type 1 and type 2 reports, and they should state whether the subject matter is in accordance with the criteria.
The contents of management’s assertion include:
- the name of the service organization’s system or the function it performs
- if applicable, reference to complementary user entity controls or subservice organization controls, and
- the criteria management used in developing the description of the system
- If relevant, acknowledging the impact of any matters that resulted in a modified service auditors’ report
Hopefully, with this new understanding of these components of a SOC report, you’ll be better prepared to review any SOC reports for the service organizations you are evaluating.
Look forward to additional articles delving deeper into each component of a SOC report to come!
For more information or a discussion on how this may impact you, please contact your BNN advisor at 800.244.7444.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.