The five Ws of SOC reports
As business environments become increasingly specialized, organizations often find ways to leverage the abilities of other companies through outsourcing. But how does an organization evaluate what internal controls are in place at these outsourcing companies? And if the proper controls are in place, do you know if they are working correctly? Are you comfortable with just having your service organization complete a controls questionnaire? Below are the five Ws for demystifying one of the most effective ways to evaluate a service organization.
Before we dive in, here are a few key terms to know:
- User entity: Any organization that uses another organization (service organization) to perform outsourced services
- Service organization: An organization or segment of an organization that provides services to user entities
- Service auditor: A practitioner who reports on controls at a service organization
What are SOC reports?
A Service Organization Controls (SOC) report is an attestation report of the service organization's controls. Three types of SOC reports exist, designed with different users and objectives in mind.
The SOC 1 report is specific to the service organization's internal controls, likely relevant to financial reporting or internal controls over financial reporting (ICFR). SOC 1 engagements are performed in accordance with AICPA SSAE 16 standard; thus, you may also hear them referred to as SSAE 16 reports. The SOC 1 report includes a management assertion, a description of management's description of the system (i.e., narrative), disclosure of the specific controls to achieve the control objectives and the service auditor's description of tests performed and related test results (Type 2 report).
The report is restricted to existing user entities and their financial auditors. Thus, the report is not intended for potential customers.
The SOC 2 report covers controls beyond financial reporting, such as operational risks. Specifically, the report details one or more of the following five AICPA Trust Services Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. The SOC 2 report has the look and feel of a SOC 1 report, including a management assertion, a description of management's description of the system (i.e., narrative), disclosure of the specific controls to achieve the criteria (i.e., unlike the control objectives of a SOC 1, the criteria are predefined by the AICPA) and the service auditor's description of tests performed and related test results (Type 2 report).
The SOC 2 report is restricted to use by specific parties who have an understanding of the service organization and its controls, such as current customers, regulators, business partners, suppliers and the customer's financial auditors.
The SOC 3 report, like the SOC 2, utilizes the same criteria in the AICPA Trust Services Principles and Criteria. There are, however, differences that should be considered. The SOC 3 report does not include a detailed description of the system's controls. This report requires a brief system description that is used to delineate the boundaries of the system under examination. The specific controls to achieve the criteria and the service auditor's description of tests performed and related test results are not disclosed in the SOC 3 report.
There are no restrictions on the distribution of the report, so it can be freely distributed to current or prospective customers. In addition, a SOC 3 report can be delivered in the form of a seal, which can be displayed on the service organization's website. The seal includes a hyperlink to the completed SOC 3 report.
Why is it important?
From transaction processing to data centers, more services are outsourced to companies who have made the specific service a core competency, and can provide the service more efficiently and cost effectively. However, the user entity retains the responsibility for the services it provides and for securing sensitive data. The SOC report is an effective way to gain transparency of the specific controls implemented by the service organization, and the specific tests performed by the service organization auditor. The success or failure of these controls can have a direct or indirect impact on the user organization's financial statements and overall reputation.
Who should obtain and review the report?
Individuals responsible for the organization's internal controls, regulatory and IT compliance should obtain and review the SOC report. For example, your organization's vendor compliance, internal audit, IT management and legal departments all may have interest in understanding the control structure of the service organization.
Key aspects to consider when reviewing a specific SOC report include the following:
- Does the report include testing operating effectiveness of controls for a specific period of time (Type 2), or does the report only cover a specific point in time (Type 1)?
- For SOC 1 reports, does the time period of the tests of controls provide appropriate coverage for your specific financial reporting fiscal year?
- Is the system or report scope appropriate of the services that you outsource?
- Does the scope of the system include a subservice organization1 and has the service organization utilized the carve-out method2 or inclusive method3?
- Review any testing exceptions to determine impact of your assessment of the service organization.
- For SOC 1 and SOC 2 reports, review the potential complementary user entity controls. These controls are your responsibility to perform to ensure that the overall control objective or criteria within the report are achieved.
- The service auditor's professional reputation.
When is the report issued?
The reporting periods for SOC reports vary. The majority of SOC 1 reports are aligned with the user entities that have a calendar year end of Dec.31. To ensure that the report is provided to the user entity by that time frame, SOC 1 reports cover a twelve-month period, from Oct. 1, 20x1 through Sept. 30, 20x2, or a nine-month period, from Jan. 1, 20x1 through Sept. 30, 20x1. For SOC 2 reports, time frames could be consistent with SOC 1 reports, or vary depending on the system scope or needs and requests of the users of the report.
SOC reports are usually issued within 45 to 60 days of the SOC reports as of date or period end date. For the purposes of your review of the controls, the dates of the report may not cover the entirety of your fiscal year. In this instance, service organizations may issue a "bridge letter" or "gap letter." The purpose of this letter is to provide a representation from the service organization regarding material changes from the end of the SOC report period through the date specified in the letter.
Where does an organization obtain the report?
SOC reports can only be obtained directly from your service organizations, unless an SOC 3 seal has been issued. Because the reports can contain sensitive information and, as described above, have a restriction that defines the intended users of the report, service organizations do not place the report in the public domain of the Internet, unless an SOC 3 seal is utilized. If the service organization does not already provide their SOC report, a request should be made to your user entity client service representative.
Factors to consider when auditing an entity that utilizes a service organization
1Subservice Organization – A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities' internal control over financial reporting.
2Carve-out Method– Method of addressing the services provided by a subservice organization whereby management's description of the service organization's system identifies the nature of the services performed by the subservice organization and excludes from the description and from the scope of the service auditor's engagement, the subservice organization's relevant control objectives and related controls.
3Inclusive Method – Method of addressing the services provided by a subservice organization whereby management's description of the service organization's system includes a description of the nature of the services provided by the subservice organization, as well as the subservice organization's relevant control objectives and related controls.