We return now to Service Organization Control Reports and what they accomplish, who might have them, and how they can benefit your organization. This week we will cover the SOC 1 Report. But before we dive too deeply into SOC Reports, it will be valuable to provide some definitions. These apply no matter which SOC report is being used.
- Service Organization- the third party provider to whom a service or function is being outsourced.
- User Organization- the company who uses the services of a service organization.
- Service Auditor- the CPA firm who performs the SOC Audit for the service organization.
- User Auditor- the CPA firm who performs audit or attest services for the user organization.
- Management’s Assertion- A letter prepared by management of the service organization taking ownership of the controls in place at the service organization.
- Description of the System- A narrative written by Management of the Service organization describing the nature of the service organization, risk management, governance, controls, and a host of other information. The service auditor issues an opinion on the accuracy of the description.
- Complementary User Entity Controls- A list of internal controls that the Service Organization expects the User Organization to have in place in order for the service provider’s controls to operate effectively.
So who should have a SOC report? And what type of report should it be? I have seen some confusion in both industry and public accounting about who are candidates for SOC reports. Two key questions to ask to determine if a SOC report is necessary: First, does the service provider process or calculate accounting information for my business? Second, is the data hosted by the service provider sensitive or mission critical to my business? If the answer to either of these questions is Yes, then a SOC report is probably necessary and should be obtained and reviewed.
Turning our focus to the SOC 1 (also referred to as SSAE16), let’s define the stated purpose of the report. Of the three SOC reporting options, a SOC 1 is the most like the former SAS 70. That is, the stated purpose of the SOC 1 is to give the auditor of a user entity’s financial statements information about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. A Type 2 SOC 1 report includes a detailed description of tests of controls performed by the CPA and results of the tests.
Okay, that’s confusing AICPA Standards language so let’s break it down. The financial statements of your business, ABC, Inc., are being audited by YHB. YHB must perform many procedures to get a level of assurance on the dollar amounts and notes represented by ABC’s accounting department. ABC has outsourced a component of its Accounts Receivable to a third party mail processor, Third Party Mail Receivers, Inc. (TPMR). TPMR collects payments mailed by ABC’s customers, posts the receivable transactions to ABC’s books, and deposits the cash and check receipts into a checking account for ABC, Inc., who pays a small percentage of the collections to TPMR for this service. How can YHB’s auditors verify that the amounts collected by TPMR are accurately reflected in ABC Inc.’s financial statements? TPMR is in the business of collecting mail receipts for its clients, so it would be inefficient for TPMR to work with the financial auditors of each of its clients.
The solution, in part, is for TPMR to engage a CPA firm (the Service Auditor) to perform a SOC 1 report. By identifying a series of control objectives and internal controls that support the integrity of its processes, TPMR can provide a SOC 1 report to its users, ABC Inc., who will provide the SOC 1 to their financial auditors, YHB. In turn, YHB can place reliance on the SOC 1 report for TPMR, in the process of forming an opinion on the Accounts Receivable and Revenue components of ABC Inc.’s financial statements.
The distribution and use of a SOC 1 report is restricted to the Service Organization, the users of the Service Organization, and the independent auditors of the user organizations.
The Service Auditor’s report will contain an opinion on three things. First, an opinion on fairness of the Service Organization’s Description of the system. The Service Auditor will perform procedures to verify the narrative at the beginning of the SOC 1 is accurate. Second, the Service Auditor will provide an opinion on the suitability of design of the internal controls related to the control objectives in the Description. Finally, the Service Auditor will opine on the operating effectiveness of controls related to the control objectives during a specified audit period. If all three of these opinions are unmodified, then the Service Organization has received an unmodified opinion.
It’s also important to note what a SOC 1 does not cover. A SOC 1 report does not provide any assurance over the financial condition of the service provider. Also, it also does not always provide assurance over the security or availability of data hosted or processed at the service provider. And most SOC 1 reports include a section called Complementary User Entity Controls. If the user organization does not properly review and implement these controls, then the SOC 1 will be less reliable. SOC 1 reports are only applicable to an outsourced environment. In situations where a third party develops software, and the software is hosted in-house, a SOC 1 report will be of limited benefit.
As business continue to evaluate ways to reduce costs, increase efficiency, and gain a competitive advantage, outsourcing will grow making SOC reports increasingly important to financial statement audits. And in addition to financial statement audits, business need assurance on the security, availability and integrity of outsourced data, including non-accounting data. The SOC 2 report was designed for this purpose. And in two weeks we will cover the basics of the SOC 2 report.