Service Organization Controls
Service Organization Controls are a series of accounting standards that measure the control of financial information for a service organization. They are covered under both the SSAE 16 and the ISAE 3402 professional standards.
SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.
SOC 1 Overview
SOC 1 reports, which have effectively replaced SAS 70 reports as of June 15, 2011, will be prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SOC 1 reports retain the original purpose of SAS 70 by providing a means of reporting on the system of internal control for purposes of complying with internal control over financial reporting. SOC 1 reports are restricted use reports, which mean use of the reports is restricted to:
- Management of the service organization (the company who has the SOC 1 performed)
- User entities of the service organization (service organization’s clients), and
- The user entities’ financial auditors (user auditor). The report can assist the user entities’ financial auditors with laws and regulations such as the Sarbanes-Oxley Act. A SOC 1 enables the user auditor to perform risk assessment procedures, and if a Type II report is performed, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing
For reports that are not specifically focused on internal controls over financial reporting, SOC 2 and SOC 3 reports should be used. These reports will focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy. In the past, SAS 70 reports often encompassed financial reporting controls, operational controls, and compliance controls.[1]
SOC 1 Type I and Type II Reports
As with SAS 70 reports, both SOC 1 Type I and Type II reports can be issued:[2]
- Type I – a Type I is a report on policies and procedures placed in operation as of a specified point in time. SSAE 16 Type I reports evaluate the design effectiveness of a service provider’s controls and then confirms that the controls have been placed in operation as of a specific date
- Type II – a Type II is a report on policies and procedures placed in operation and tests of operating effectiveness for a period of time. SSAE 16 Type II reports include the examination and confirmation steps involved in a Type I examination plus include an evaluation of the operating effectiveness of the controls for a period of at least six consecutive calendar months. Most user organizations require their service provider to undergo the Type II level examination for the greater level of assurance it provides
SOC 2 Overview
For services which do not impact a service organization's internal controls over financial reporting, SOC 2 reports are now a great option. SOC 2 reports focus on controls at a service organization relevant to the following principles:[3]
- Security: The system is protected against unauthorized access (both physical and logical)
- Availability: The system is available for operation and use as committed or agreed
- Processing Integrity: System processing is complete, accurate, timely, and authorized
- Confidentiality: Information designated as confidential is protected as committed or agreed
- Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA