What Service Organization Control (SOC®) Engagements Can Mean For Your Business - Nawrocki Smith

What Service Organization Control (SOC®) Engagements Can Mean For Your Business

Published: 6/1/2016 2:49:57 PM

hat Service Organization Control (SOC®) Engagements Can Mean For Your BusinessService Organization Control (SOC) Engagements

Formerly known as the SAS70, the Service Organization Control (SOC®) reports convey confidence in your internal controls over financial reporting of your business to your customers and their auditors. They also can provide information regarding your controls related to security, availability, processing integrity, confidentiality and privacy. This information is helpful in regulatory, compliance initiatives as well as demonstrating to prospective customers that you care about the security and privacy of the information and tasks they entrust with you.

The 3 main reasons why the SOC® has replaced the SAS70:

  • The world has changed and there is a need for more oversight and reporting options with regards to a variety of concerns such as IT security, privacy and confidentiality. Much of this is due to new and emerging technologies including visualization, and the rise of mobile and cloud computing.
  • The need for greater international consistency, given the rise of globalization and the increase in the use of outsourcing.
  • The SAS 70 Report was often being misused and limited to controls related to financial reporting.

In addition to a SOC® readiness assessment, Nawrocki Smith can also assist with all three types of examinations related to Service Organization Control described below.

SOC® 1 Examination (SSAE 16) - Internal Control Over Financial Reporting

A Service Organization Control (SOC®) 1 report is used to document your descriptions related to internal control over financial reporting. The use of the report is restricted to management of the service organization, your customers’ auditors and your customers. The report can be used in your customer’s financial audits to assist their auditors in assessing risks related to internal control as well as assist your customer’s evaluation of internal control over financial reporting for compliance purposes.

There are two types of reports related to SOC® examinations, which are known as Type 1 and Type 2.

In a Type 1 report, the service auditor examines the service organization’s descriptions of its systems to provide an opinion regarding if the description is fairly presented and controls were suitably designed (as of a specific date).

In a Type 2 report, the service auditor examines the service organization’s descriptions of its systems to provide an opinion regarding if the description is fairly presented and controls were suitably designed as well as performing tests to provide an opinion regarding the operating effectiveness of the controls (throughout a specified period).

Service organizations which may require a SOC® include, but are not limited to:

  • Trust departments of banks and insurance companies
  • Custodians for investment companies
  • Mortgage servicers or depository institutions that service loans for others
  • Data centers
  • Health and dental care claims management and processing centers
  • Payroll Companies
  • Software as a service providers (“SaaS”)
  • Internet service providers and web hosting service providers

SOC® 2 Examination – Non-Financial Report Issues - Trust Services (TS)

Similar to a SOC® 1 Examination, a SOC® 2 Examination is a report on management's description of the service organization's system and the suitability of the design of the controls. However, the focus is not on controls-related to financial reporting. This examination is related to controls to achieve the relevant Trust Services Principles and Criteria included in the description as of a specified date (Type 1) or throughout a specified period (Type 2).

It is a generally restricted-use trust services report on controls at a service organization regarding one or more of the following trust service principles and criteria:

Security. Is the system protected against unauthorized access (physical and logical)?

Availability. Is the system available for operation and use as committed or agreed?

Processing Integrity. Is system processing complete, accurate, timely, and authorized?

Confidentiality. Is confidential information protected as committed and agreed?

Privacy. Is personal information collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants?

SOC® 2 reports are applicable to almost any service provider that serves as an extension of its customer’s internal control environment as it relates to security, availability, processing integrity, confidentiality or privacy. Such service organizations include, but are not limited to:

  • Companies that provide cloud computing
  • Managed security firms
  • Customer support centers
  • Sales force automation companies
  • Health and dental care claims management and processing centers
  • Software as a service providers (“SaaS”)
  • Data centers
  • Enterprise IT outsourcing services

There are many instances when a service organization’s services could be applicable to both a SOC® 1 report and a SOC® 2 report. Although the reports cannot be combined, separate engagements can be performed to provide these service organizations with the reports that they need.

When determining the report that is appropriate for your organization, consider the following:

What is driving the need for this report?

If customers are requesting it, what will they be using the report for?

Are your customers primarily concerned about operational aspects of your outsourced services or do your services relate to your customers’ financial statements?

SOC® 3 Examination – Non-Financial Report Issues - Trust Services (TS)

A general-use trust services report for service organizations that provides an opinion on whether the the service organization maintained effective controls over its systems. SOC® 3 reports can be issued on one or multiple trust services principles (security, availability, processing integrity, confidentiality and privacy). SOC® 3 reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not have the need for or the knowledge necessary to make effective use of the detailed information in a SOC® 2 report. These reports are generally shorter, easy-to-read reports without the detail provided in other SOC® 2 report and can be distributed to anyone.

Does Your Organization Need a SOC® Report?

If your organization performs services for clients or if you are responding to client questionnaires on your IT policies or other processes, controls, and confidentiality then you may be considered a "service organization" and benefit from an independent review of your Service Organization Controls.

Be sure to consult with your service auditors in making the determination over which report is right for your business, as it is sometimes confusing and not always completely clear.


Nawrocki Smith LLP

290 Broad Hollow Road, Suite 115E

Melville, New York 11747

Email: info@nsllpcpa.com