At some point in time, you have probably been asked by your examiners or external auditors to explain how you get comfort that your internal controls are working the way they are supposed to be. They are also asking a more difficult question—how do you know that the controls at your critical vendors or service organizations are operating effectively? In order to properly answer that question, you typically would go to your vendor with a request—how do I know that YOU have controls that I can rely upon as your customer?
This is where the SOC, or System and Organization Controls for a Service Organization report comes in.
To start, you might be wondering what qualifies as a service organization. A service organization is a term used by the American Institute of Certified Public Accountants (AICPA) to describe a company that provides outsourced services to you, the customer. The key though is that this vendor or service organization may provide services that could potentially impact your financials or other important components of your data (more on that later).
My CUSO, like others, provides services to our clients that would fall under these provisions, which is why we engage an audit firm to perform a review of our controls and provide our clients with the results of this review (via a SOC report). There are likely other vendors you engage with who provide services that would fall under these provisions, as well.
So, now that we know who you should get a SOC report from, let’s discuss what a SOC report is and how you should review it.
A SOC report (and there are a few different kinds—see below) is an attestation report in which a company’s management asserts that certain controls are in place that meet the objectives outlined in the report and an independent CPA firm issues an opinion on whether or not they agree with management’s assertions. In other words, your service organization is affirming that they have the policies and procedures (controls) in place to fulfill the objectives as stated in the SOC report. The CPA firm, in turn, performs an examination to test these assertions and issues an opinion that you can rely upon when assessing your own control environment.
Types of SOC reports
There are three main types of SOC reports including:
This report focuses on the service provider’s processes and controls that could impact their client’s internal controls over financial reporting (sometimes referred to as “ICFR”). Our CUSO provides three different SOC 1 reports to align with the different services provided to our clients, as follows:
- Application Processing and Managed Hosting Services
- Program Development
- Network Management Services
Unlike the SOC 1, which focuses on controls over financial reporting, the SOC 2 report assesses the system controls for our core program and support systems relevant to security, availability, confidentiality, processing integrity, and privacy, as specified in the AICPA’s Trust Services Principles. A SOC 2 report is restricted to the service organization’s management, customers, and prospective customers.
The SOC 3 reports on the same information as a SOC 2 report; however, it is intended for a general use audience. This report is much smaller in size and contains very little detail on the specific controls operating within the company. Some vendors, including my CUSO, may not obtain a SOC 3 report, as the SOC 2 obtained can be more comprehensive in nature and provide the appropriate level of detail to assist clients in assessing their own control environment.
How to read the SOC report
The general layout of the SOC 1 and SOC 2 reports are fairly similar. As my CUSO most recently issued the SOC 2 report for fiscal year 2020, we will use that report for illustrative purposes in outlining the general layout and what to be on the lookout for when you are performing your review. Feel free to download the report here and review it in conjunction with the outline below.
Section 1: Independent service auditor’s report
The first section of the report is the CPA (independent service auditor’s) report which provides the key conclusion that you should review—the auditor’s opinion. The key phrases you should be looking for are that the “controls are suitably designed” and that such controls “operated effectively.”
Section 2: Management’s assertion
This one-page assertion outlines management’s confirmation that we have provided an accurate description of our controls, that we believe they are suitably designed, and that they are operating effectively in the period designated. The description of services is intended to provide report users with information about core programs and support systems that may be useful when assessing the risks arising from those system.
Section 3: Overview of operations
This section is meant to provide the user with information about their vendor’s operations, the scope of the report, the principal service commitments and system requirements relevant to the trust services criteria (security, availability, confidentiality, processing integrity and privacy), and their control environment and detailed controls.
These pages provide helpful reference information, but the pages you will want to pay the most attention to are the Complementary User Entity Controls—these are the controls and processes you need to ensure you have implemented to achieve the applicable trust services criteria. This is not an exhaustive list of controls, but should be considered in the design of your control environment.
Section 4: Test procedures
This section outlines the controls that my CUSO has identified as the processes we have in place to meet the trust service criteria, the testing performed by the auditors, and the results of that testing. You as the user entity will want to review the results and analyze any exceptions to understand the implications to your overall control environment. Ideally, you should outline any exceptions and include your response to the exception (if the exception is applicable, why the exception isn’t concerning, or that you have compensating controls in place) as examiners may request evidence of your review.
Section 5: Other information
The final section of the report is additional information provided by the vendor that they believe is relevant to the SOC report. This information has not been audited by the external auditors, but will likely be useful in your review. This section includes management’s responses to identified exceptions which you can leverage as part of your own review of this report.
If you’d like to find more information or reference materials, all of the relevant SOC reports and other due diligence materials are available on our Due Diligence site here. Additionally, if you have questions about our SOC report, or other due diligence related matters, please feel free to contact our Internal Audit team—we would love to hear from you! Our contact information is below:
Christen Lipschutz (firstname.lastname@example.org)
Patrick Sickels (email@example.com)
Very clearly written, easy to follow, and therefore informative.