What is SOC?

Until June 15, 2011, Service Organization Controls (“SOC”) Reports were issued under the Statement on Auditing Standards No. 70: Service Organizations issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), and was commonly abbreviated as SAS 70. The AICAP split and replaced SAS 70 with 2 new standards, Statement on Standards for Attestation Engagements (SSAE) 16 for service auditors which is effective now, and a new SAS for user auditors. That new SAS is yet to be numbered as it is not effective until 2012 year-end audits. SSAE 16, Reporting on Controls at a Service Organization, applies when an entity outsources a business task or function to another entity (usually one that specializes in that task or function) and the data resulting from that task or function is incorporated into that entity's financial statements. This relates to internal controls over financial reporting. In other words, it is used when information generated by service organizations is included in a user entity's financial statements.

The AICPA also recognized a growing marketplace need for reporting on controls over security, availability, processing integrity, confidentiality or privacy of outsourced systems. In particular, with the growth of cloud computing and the increase in outsourcing, service organizations are seeking some kind of "assurance" over controls other than internal control over financial reporting so their customers know that they have met a level of reliability and trust. The new SOC framework makes that assurance possible.

There are 3 types of reports:

  1. SOC 1: Report on controls at a service organization relevant to a user entity's internal control over financial reporting. This engagement is performed under the SSAE 16 standard.
  2. SOC 2: Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. This engagement is performed under the AT 101, Attestation Engagements standard.
  3. SOC 3: is a Trust Services Report. It basically covers the same subject matter as SOC 2, but in less detail and in a format that lends itself to a general-use report and a seal program. This engagement is performed under the AT 101, Attestation Engagements standard.


What are the major changes from SAS 70 to SSAE 16/ISAE 3402?

The most notable changes for SOC 1 engagements is that the service auditor must now obtain a written management assertion about the fairness of the presentation of the description of the service organization’s system and the suitability of its design. In Type 2 engagements, the assertion must also address the controls’ operating effectiveness. Other changes include:

  1. Attestation standard vs. Auditing standard
  2. Use of suitable criteria
  3. Suitability of design opinion (point in time vs. entire period)
  4. Materiality
  5. Use of Internal Audit
  6. Opinion Format

What is difference between a Type I and a Type II SOC Report?

There are two types of service auditor reports. A Type I report describes the service organization's description of controls at a specific point in time (e.g. June 30, 200X). This includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period (e.g. January 1, 200X to June 30, 200X) in order for the service auditor to opine on whether the specific controls were operating effectively during the period under review.

What are some of the benefits for undergoing a SOC audit?

The benefits for a service organization to undergo a SOC audit are:

  1. Gain a competitive edge among your peers
  2. Establish trust with your clients (the user organizations)
  3. Avoid the cost (time and money) of having to respond to multiple audit request from your clients
  4. Identify redundant or ineffective internal controls during the process
  5. Having a Certified Public Accounting firm opine on the effectiveness of your controls for you

Who can perform a SOC 1, 2, or 3 audit? What should the service organization look for?

A SOC audit can only performed by an independent certified public accountant (CPA) or firm. CPA firms that perform SOC audits must adhere to specific professional standards established by the American Institute of Certified Public Accountants (AICPA). Member firms of the AICPA.  Member firms of the AICPA are required to follow specific guidance related to planning, execution, and supervision of the audit procedures. In addition, member firms are required to undergo a peer review to ensure that the firm's audits are conducted in accordance with generally accepted auditing standards.

The CPA firm, of course, may employ non-CPA professionals that have relevant information technology and security skills to participate in a SOC engagement. However, the final report must be reviewed and issued by a CPA. This is particularly important if a user organization's auditors plan to rely on the results of service auditor's tests of operating effectiveness.

When a service organization selects an audit firm to perform their SOC audit, the service organization should consider the following:

  • Experience in performing SOC audits (i.e., service auditor's examinations)
  • Relevant industry experience (e.g., financial services, technology, telecommunications, health care, etc.)
  • Skilled audit professionals that understand information technology (IT) controls and processes
  • Availability of resources (i.e., bandwidth to deliver the services on time)
  • Project management skills

How are SOC audit reports generally distributed?

At the conclusion of a SOC audit engagement, the service auditor will issue a Service Auditor's Report. The audit reports are then provided to the service organization for distribution to their respective user entities (i.e. customers) and the independent auditors of the user organizations (i.e. user auditors). The user organizations are usually responsible for obtaining the audit report from the service organization and then distributing it to their auditors. SOC 1 and 2 are restricted to existing customer while SOC 3 has no distribution restrictions.

A service organization is free to give their SOC report to any third-party. Professional standards do not limit service organizations' ability to distribute their report. A SOC (1 or 2) report is a "restricted-use report" which typically means that only the service organization, the service organization's clients, and the clients' auditors can rely on the report. Service organizations are free to give the report to any other third-party, but those other third-parties are not allowed to place any reliance on the report and can only use it for informational purposes.

Many audit firms misinform their clients when they suggest that a SOC audit report cannot be freely distributed. The professional standard that addresses this issue is AU Section 532, paragraph 18, titled "Limiting the Distribution of Reports", which clearly states that the auditor may advise that a restricted use report not be distributed, but that the auditor has no responsibility for controlling the distribution of the report. The client has complete discretion as to which third-parties ultimately receive a copy of the report. The report must be distributed in full and not just a part of it.

Tips for obtaining a Service Auditor's Report: User Organizations

It is sometimes difficult finding the correct person to obtain a copy of your service provider's SAS 70 report, especially is large organizations. Hopefully, your service provider will provide you with an account executive that can assist in obtaining the audit report. Otherwise, consider contacting the following individuals/departments at your service provider:

  • Office of the Controller
  • Internal Audit department
  • Sales and Marketing department
  • Information Systems department

Tips for obtaining a Service Auditor's Report: User Auditors

As part of planning the financial statement audit for an organization that uses a third party service provider, the user auditor is required to consider the internal control environment at the service organization. A Service Auditor's report can assist the user auditor in gaining an understanding of the service organization's controls. User auditors should generally request the Service Auditor's Report from their traditional audit contacts (i.e. personnel in the accounting or finance function) at the user organization.

What are the contents of a SOC report?

SOC reports are generally divided into three or four sections depending on the type of engagement performed. The content of each type of report is described in the following table:

Section Contents Type I Report Type II Report

Independent Service Auditor's Report (i.e. audit opinion)

Included Included

Service organization's description of controls with management's assertion

Included Included

Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests.

Optional Included

Other information provided by the service organization

Optional Optional

What is contained within a description of controls?

The description of controls should provide user auditors with information about the service organization's controls that may be relevant to a user organization's internal control. Service organization controls are considered relevant to a user organizations' internal control if they represent of affect a user organization's internal control as it relates to an audit of financial statements. The service organization controls that may represent or affect a user organization's internal control include:

  • Control Environment – The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
  • Risk Assessment – Risk assessment is the entity's identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
  • Control Activities – Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities usually fall into one of two areas – General Controls & Application / System-specific Controls, which are client specific. Typical general control areas typically include, but are not limited to, the following areas:
    • Control Environment
    • Computer Operations (limited application in client-server environments)
    • Physical Security
    • Environmental Security
    • Application Development, Maintenance and Documentation (i.e. Change Management)
    • Data Communications
  • Application or System-specific controls change for every client. They are the control activities implemented into the actual service of the service organization. These control activities vary significantly from client to client; however, there is some commonality between service organizations in the same industry.
  • Information and Communication Systems – Information and communication systems support the identification, capture, and exchange of financial information in a form and timeframe that enable personnel to carry out their responsibilities.
  • Monitoring – Monitoring is a process that assesses the quality of internal control performance over time.

The description of controls should be presented at a level of detail that provides user auditors with sufficient information to plan the audit as described in SAS No. 70 and SAS No. 55. The description does not need to address every aspect of the service organization's processing or the services provided to user organizations. In summary, the service organization's description of controls should generally contain the following information:

  • The related accounting records, manual and/or electronic, and supporting information involved in initiating, authorizing, recording, processing, and reporting transactions;
  • Aspects of the service organization's control environment; risk assessment; information and communication systems; and monitoring that may affect the services provided to user organizations, as it relates to an audit of financial statements;
  • Control objectives and related control activities;
  • The process used to prepare reports and other information used by the User Entities;
  • The procedures for correcting incorrect information; and
  • Changes to controls since the later of the date of the last report or within the last twelve months.

How can a service provider prepare for a SOC audit?

A service provider can do many things to prepare for a SOC audit engagement. Defining control objectives and identifying related control activities is an important step in the SOC audit process. Many service providers will engage a professional services firm with a background in both financial auditing and IT auditing to assist with drafting the control objectives and evaluating the existing control activities. This allows the service provider to determine if any improvements need to be made with respect to the control environment prior to the start of the actual SOC audit.

If the service provider has an internal audit department, the internal auditors could also assist with developing the control objectives and documenting the related control activities. Internal audit can also periodically evaluate and test some of the controls that may be tested as part of the SOC audit to determine if improvements need to be made.

How much does a SOC audit/examination cost?

The cost of a SOC audit/examination largely depends on the amount of time that it takes the service auditor to perform the necessary procedures to render an opinion on the controls placed in operation and the tests of operating effectiveness.

A SOC audit/examination is an in-depth evaluation of a service organization's controls. A SOC examination is not a "checklist" audit. During a SOC examination, the service auditor spends a considerable amount of time reviewing documentation on control processes; conducting inquiries with personnel; observing the existence and performance of controls; and inspecting evidence that supports the operating effectiveness of a control. In addition to performing the necessary audit procedures, the service auditor prepares a summary report that contains the independent service auditor's opinion, the service organization's description of controls, and, in the case of a Type II SOC, a summary of the tests performed and the results obtained. Professional service firms that are members of the AICPA also have internal quality control procedures related to the review of working papers and the final audit report that must be completed prior to issuing the service auditor's report to management.

Professional service firms typically bill by the hour based on the level and experience of the Staff conducting the audit. SOC audits usually require experienced professionals that understand auditing, business processes, controls, and technology.

Service organizations that have to provide the results of a SOC audit to a large number of customer organizations may want to consider passing some of this cost along to the customer organizations as an additional fee.

Much of the information above is based on the AICPA's audit guide entitled "Service Organizations, Applying SAS No. 70, As Amended" and the SSAE 16 standard "Reporting on Controls at a Service Organization".