In today’s world, you would be hard-pressed to find an organization that does not outsource at least one function or component of their control environment to a third-party service provider. From payroll processing to invoice creation and cloud storage to backup solutions, outsourced service providers have provided companies with cost-effective and efficient options to reduce the need for internal resources to perform repetitive or highly-technical tasks. While this has helped organizations reduce headcount, stress, and certain costs, it does not eliminate the company’s responsibility to ensure their processes are functioning correctly, their data is secure, and their control environment is strong. As these types of relationships have become more prevalent, so has the demand from clients (or “user entities”) and their external auditors for service organizations to provide assurance that their processes and controls are designed, and operating, effectively.
To that end, the American Institute of Certified Public Accountants (AICPA) has issued guidance allowing CPA’s to issue examination reports, supported by an opinion and performed on behalf of service organizations, providing assurance on the design and operating effectiveness of their internal controls. These reports, called System and Organization Control (SOC) reports, come in three different flavors:
SOC 1 – Restricted use report on controls relevant to internal control over financial reporting. Focus of report is typically on financial transaction processing, examples of which include payroll processing companies, bank services and billing companies.
SOC 2 – Restricted use report on controls dictated by the Trust Service Criteria relevant to security, availability, processing, integrity, confidentiality, or privacy. Focus of report is on IT and security related controls, examples of which include cloud providers, backup solutions, outsourced IT providers, among others.
SOC 3 – Similar to the SOC 2 report, but designed for general use (not restricted to users of the service organizations).
Each report comes in two types: Type 1 reports provide an opinion on the design effectiveness of the controls. A Type 2 report provides a higher level of assurance in that it provides an opinion on both the design and operating effectiveness of the controls in place. Regardless of the SOC report or the type, these reports are typically issued annually.
SOC Report Benefits
While user entities and their auditors may request, or even demand, a SOC report from a service organization, it’s important that a service organization not view this as simply a burden or as a “check-the-box” exercise. As a service organization, there are several benefits to having a SOC report performed:
SOC Service Methodology
An initial SOC engagement typically starts with a “readiness assessment” to ensure the organization is “SOC-ready”. Based on the readiness assessment, we can provide the organization with a list of control gaps and/or opportunities for improvement to be implemented by management prior to the start of the period covered by or date of the initial SOC report, depending on whether the report is a Type 1 or Type 2. On a recurring basis, the SOC engagement will be re-performed with the issuance of a new and updated SOC report so that user entities can be updated regularly on the status of the organization’s systems and controls. As an example, for a SOC 1 Type 2 engagement, a typical coverage period is January 1 through September 30, with a bridge letter provided to user entities from management for the remainder of calendar year.
How can we help?
As we began, requests for SOC reports are on the rise. As a user entity, making sure your third party vendors are fulfilling their control obligations to your company are key. As a service provider, making sure your control environment is ready to be SOC complaint can be the difference in getting a new client or not. But the road to being SOC compliant is not always smooth sailing, nor is it achieved overnight. If you are beginning to get requests from your clients for your SOC report, Citrin Cooperman’s Technology Risk, Advisory & Cybersecurity (TRAC) Practice’s Third Party Assurance Team is here to help. Whether it be assisting with a readiness assessment to determine if your organization is “SOC-ready” or if you need guidance on determining which SOC report is right for you, our team of Internal Control experts are only a call away.
Contact us to learn more:
|David Roath, CPA
|Michael Camacho, CPA, CIA
|Samantha Kerwin, CPA, CGMA, MBA