Home

Quick Links

Legal & Sitemap

navigation
Home > Trends & Insights > Service Organization Control Reporting

Newsletter

 

Sunday, June 17, 2012

Service Organization Control Reporting


In 2011, the American Institute of CPAs retired the old “SAS 70” reports. These engagements provided assurance on controls at a service organization under the Statements on Auditing Standards. The SAS 70 reports have been replaced by three SOC reports.

Originally intended for service organizations that actually processed transactions on behalf of their clients, SAS 70 reports came to be used for assurance on a variety of outsourced services. As outsourcing and specialization has expanded, the AICPA recognized that new standards were needed to address a broader array of outsourced activities. These new types of reports are known as “SOC” reports—service organization control reports.

Assurance over Outsourced Services
To better reflect the types of services outsourced, the new standards provide different reporting options depending upon whether a user entity needs assurance on controls related to financial reporting (SOC 1) or controls related to other types of services (SOC 2 and SOC 3). Many of these other services are related to information technology—data processing, cloud computing or record retention. User entities are seeking assurance that their online storage, website and hosted applications are supported by strong controls.

Almost every company and nonprofit organization outsources some important activities. For example, most companies outsource their payroll processing. Whether intentionally or by default, companies outsourcing payroll are placing some level of confidence in the internal controls of their payroll service providers. Organizations with investment accounts assume that their custodians and investment managers have adequate controls over accounts and assets. The lack of proper controls can have major real-world consequences. For example, the Bernie Madoff scandal illustrated this to many investors, while the Axium International bankruptcy demonstrated this to entertainment companies using their payroll service.

SOC 1 – Financial Controls
SOC 1 engagements are intended for users that need assurance on outsourced activities that impact user entities’ financial statements. Payroll and investment services are common examples of this type of activity.

Companies that rely upon outsourcing to manage part of their financial activities should include a review of the SOC reports of their service providers as part of their own internal controls. If a service provider lacks a SOC report, management should determine what controls are needed internally to compensate for the lack of information on the service provider. Management may determine that implementing those controls is too costly, and search for a service provider that can provide assurance on their controls.

SOC 2 – Trust Principles and Information Processing
SOC 2 engagements are intended for users who need information and assurance regarding controls at a service organization affecting one or more of the following principles with respect to user data or outsourced services:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

In a SOC 2 engagement, management is able to select the Trust Service Principles defined by the AICPA standards that will be covered by the report. Because of this flexibility, one of the first tasks that management faces is a decision on the applicable trust services principles for the engagement.

The service organization’s controls must meet all of the criteria established by the AICPA for the applicable trust principles. Accordingly, a second major task will be to organize the controls documented by management against the criteria established for the applicable trust principles. Additionally, management must provide assertions related to the trust criteria.

A service organization may decide to report on compliance with other standards in addition to trust services criteria. If a service organization is required to adhere to a set of third-party compliance requirements, these can be used as a model for reporting in a SOC 2 engagement. Since these engagements are conducted under attestation standards, there is flexibility in their application that allows for broader usage.

SOC 3 – Levels of Assurance
SOC reports can be issued as either a Type 1 report or Type 2 report. Both Type 1 and Type 2 reports include:

Management’s description of the service organization’s system

A written assertion by management of the service organization regarding compliance with the trust criteria

The service auditor’s report expressing an opinion on management’s assertion

A Type 1 report includes an opinion on the description of management’s controls and whether they are adequate to address the criteria. The service auditor reviews the design of controls, but does not test to see that they are operating effectively. The assurance provided to a user entity is limited.

A Type 2 report includes an opinion on the operating effectiveness of controls. It includes a detailed description of the service auditor’s test of the controls and results of the tests. Because of the testing involved, Type 2 engagements are significant undertakings, both for the CPA firm and for management.

Providing Customers with Assurance
Companies that provide outsourced services will face increased demands for SOC reports from their clients and customers. If your company provides business services, consider the following:

Do you process transactions for clients that they will need to record in their own financial records? If so, your clients may need the assurance provided by a SOC 1 report.

Do you have access to client data that requires confidentiality? If so, your clients may need you to provide assurance on the security, confidentiality or privacy trust principles (SOC 2).

Do your clients rely on you for key information processing services? If so, they may need assurance on availability or processing integrity (SOC 3).

SOC reports are conducted under “Attestation Standards,” which means that they are a type of assurance service that must be conducted by an independent accountant.

SOC engagements are one of several types of assurance services that can be provided by Armanino’s assurance department.

COMMENTS

comments powered by Disqus