Can an SOC Report Help your Service Organization?

Dec 23, 2019 | Business

System and Organization Controls (SOC) are actually a suite of different service offerings CPAs provide in connection with either system-level controls of a service organization or entity-level controls of other organizations. SOC reports are designed to help Service Organizations build trust and confidence in their capabilities with a report by an independent CPA. 

Obtaining a SOC report can differentiate your Service Organization by demonstrating that you have established effectively designed controls, providing your customers with peace of mind and helping them with their own financial reporting needs.

There are three main types of SOC reports, each reporting differently on controls to meet different user needs.

Benefits of Obtaining a SOC Report

Internal control reports on the services provided by a service organization provide valuable information that customers can use to assess and address the risks associated with an outsourced service. They are especially useful to customers’ auditors who can use them to obtain an understanding about controls over their client’s transaction processing and data security and, depending on the type of report, even to reduce the amount of testing they need to do in their audit.

Other benefits include:

  • Providing a competitive advantage against similar service organizations who have not received a SOC report
  • The ability to meet contractual requirements
  • Benchmarking controls
  • Increasing client satisfaction due to a sense of security over sensitive information

SOC 1 for Service Organizations: ICFR –

Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR)

These reports are specifically intended to meet the needs of customers that use service organizations to process financial transactions and the CPAs that audit their financial statements. Common examples are Service Organizations that process payroll for their customers, those that administer retirement plan transactions, or those that process particular types of insurance claims.

There are two types of reports for these engagements:

  • Type 1 – This reports on whether a company’s internal financial controls are properly designed and described as of a particular point in time.
  • Type 2 – This report starts with the Type 1 report and adds testing of the operating effectiveness of the controls for a specific period of time.

Use of these reports are restricted to customers and their auditors.

SOC 2 for Service Organizations: Trust Services Criteria –

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the compliance and operations controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

These reports can play an important role in the oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight.

Similar to a SOC 1 report, there are two types of reports:

  • Type 1- This reports on whether a company’s cloud and data center security controls are properly designed and described as of a particular point in time.
  • Type 2- This report starts with the Type 1 report and adds testing of the operating effectiveness of the controls for a specific period of time.

Use of these reports are restricted to customers and their auditors.

SOC 3 for Service Organizations: Trust Services Criteria for General Use Report

These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed.

This article contributed by Joseph A. Barrett, CPA.

Photo by Andrew Neel on Unsplash

Landsman Uniforms & Embroidery

Landsman Uniforms & Embroidery

Landsman Uniforms and Embroidery is excited to share the story of our business - a tale of resilience, passion, and a commitment to serving customers in Atlantic County for three generations. The family business began in 1932 when William Landsman opened a general...

read more
Money Watch: Elder Financial Exploitation

Money Watch: Elder Financial Exploitation

Technology has been a huge benefit to people across the world, but it has also led to a dramatic increase in the scope and size of Elder Financial Exploitation (“EFE”). The Financial Crimes Enforcement Network (“FinCEN) defines EFE as the “illegal or improper use of...

read more
Beneficial Ownership Information Reporting

Beneficial Ownership Information Reporting

On September 29, 2022, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCen) issued a final rule implementing the bipartisan Corporate Transparency Act’s beneficial ownership (BOI) reporting provisions.  The new rule will require business...

read more