Service Organization Controls (SOC Reports)

Service Organization Controls (SOC Reports)

Print Divider Print Divider Branding

AICPA SOCWith the advent of the Sarbanes-Oxley Act (SOX), other demands for transparency, increasing globalization and outsourcing, the use of SSAE 16s (formerly SAS 70s) has grown exponentially. Service organizations that provide key third-party outsourcing services often need to be accountable to the clients that they serve. These organizations include:

  • claims processors
  • application service providers
  • benefits administrators
  • payroll companies
  • data centers

Furthermore, the creation of Service Organization Controls (SOC 2 and SOC 3 reports) provide two new reporting vehicles developed for service organizations to respond to demands for uniform reporting and review—expanding service organizations’ ability to report on non-financial controls and, with SOC 3, become certified trusted system service organizations.

CPAs perform SSAE 16 attestments to provide assurance to the service organization’s customers and their auditors that the organization has certain, adequate and effective controls in place.

  • Type I audits consider the controls’ effectiveness at a certain point in time
  • Type II audits examine the controls’ effectiveness over a specific period, typically six to 12 months.

Unlike previous SAS 70 audits, SSAE 16s and SOC 2 and SOC 3 engagements address today’s environment that:

  • Requires greater international consistency,
  • Addresses newer technologies such as cloud computing, mobile and virtualization,
  • Demands more widely recognized and understood reporting options.

SSAE 16 (SOC 1)

SSAE 16 (SOC 1) presents several changes from an SAS 70, including requiring management to provide written descriptions of its systems and assert that the system descriptions are fairly presented, control objectives suitably designed and operate effectively, and identify the criteria they used to make those assertions.

While SSAE 16 (SOC 1) examines service organizations’ controls related to financial reporting, SOC 2 and SOC 3 reviews non-financial reporting controls.

SOC 2 Engagements

SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards, vol. 1). An SOC 2 report is similar to an SOC 1 report. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization's system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests.

SOC 3 Engagements

SOC 3 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations that also are used in SOC 2 engagements. An SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy).

Differences between SOC 2 and SOC 3 Reports

The key difference between an SOC 2 report and an SOC 3 report is that an SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system.

LBMC’s multi-disciplined teams have the financial and information systems auditing experience to ensure service organizations undertaking an SSAE 16 or SAS 70 have the best information for their organization, industry and clients.

Download our Free SOC Audit & Compliance Guide

soc-guide-250px.jpgDon't wait. Get ready for SOC success with our free, popular 25-page guide, How to Prepare for a SOC Examination. It contains all of the information in SOC 101 and much more. 

Chapter 1: Understanding the SOC Report
Chapter 2: Preparing for a Successful SOC Report
Chapter 3: Maximizing Your Preparation Efforts
Chapter 4: Selecting an Audit Firm
Chapter 5: Integrating SOC Reporting with Regulatory Compliance Mandates
SOC Glossary

Download the Free SOC Guide Today

If you would like to review some SOC 101 frequently asked questions, visit our SOC page from the security team

click here for executive team