SOC for Service Organizations reports are designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent CPA. Each type of SOC for Service Organizations report is designed to help service organizations meet specific user needs:
SOC 1®– SOC for Service Organization: ICFR
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.
There are two types of reports for these engagements:
- Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Use of these reports is restricted to the management of the service organization, user entities, and user auditors.
SOC 2® - SOC for Service Organizations: Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
Similar to a SOC 1 report, there are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.
SOC 3®— SOC for Service Organizations: Trust Services Criteria for General Use Report
These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed.
AICPA Toolkit for SOC for Service Organizations
To help service organizations better understand SOC for service organizations examination
engaagements and educate current and potential customers on the reports on their controls, the AICPA has developed the SOC Toolkit for Service Organizations. All materials are available as free downloads.
The AICPA has developed the "Information for Management of a Service Organization" document to assist management of a service organization in preparing its description of the service organization’s system, which serves as the basis for a SOC 2®examination engagement. It is also intended to familiarize management with its responsibilities when it engages a service auditor to perform a SOC 2® engagement. This document was adapted from the AICPA Guide, SOC 2® Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (January 1, 2018).
AU section 325 is superseded as follows: 1. In an audit of financial statements, the auditor may identify deficiencies in the company's internal control over financial reporting. A control deficiency exists when the design or operation of a control does not allow management or employees,
in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.AU Section 325
- A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met.
- A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
2. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company's annual or interim financial statements that is more than inconsequential will not be prevented or detected.
Note: The term "remote likelihood" as used in the definitions of significant deficiency and material weakness (paragraph 3) has the same meaning as the term "remote" as used in Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies ("FAS No. 5"). Paragraph 3 of FAS No. 5 states:
When a loss contingency exists, the likelihood that the future event or events will confirm the loss or impairment of an asset or the incurrence of a liability can range from probable to remote. This Statement uses the terms probable, reasonably possible, and remote to identify three areas within that range, as follows:
a. Probable. The future event or events are likely to occur.
b. Reasonably possible. The chance of the future event or events occurring is more than remote but less than likely.
c. Remote. The chance of the future events or events occurring is slight.
Therefore, the likelihood of an event is "more than remote" when it is either reasonably possible or probable.
Note: A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential .
3. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.
Note: In evaluating whether a control deficiency exists and whether control deficiencies, either individually or in combination with other control deficiencies, are significant deficiencies or material weaknesses, the auditor should consider the definitions in paragraphs 1, 2 and 3, and the directions in paragraphs 130 through 137 of PCAOB Auditing Standard No. 2. As explained in paragraph 23 of PCAOB Auditing Standard No. 2, the evaluation of the materiality of the control deficiency should include both quantitative and qualitative considerations. Qualitative factors that might be important in this evaluation include the nature of the financial statement accounts and assertions involved and the reasonably possible future consequences of the deficiency. Furthermore, in determining whether a control deficiency, or combination of deficiencies, is a significant deficiency or a material weakness, the auditor should evaluate the effect of compensating controls and whether such compensating controls are effective.
4. The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit. The written communication should be made prior to the issuance of the auditor's report on the financial statements. The auditor's communication should distinguish clearly between those matters considered significant deficiencies and those considered material weaknesses, as defined in paragraphs 2 and 3.
Note: If no such committee exists with respect to the company, all references to the audit committee in this standard apply to the entire board of directors of the company. fn 1 The auditor should be aware that companies whose securities are not listed on a national securities exchange or an automated inter-dealer quotation system of a national securities association (such as the New York Stock Exchange, American Stock Exchange, or NASDAQ) may not be required to have independent directors for their audit committees. In this case, the auditor should not consider the lack of independent directors or an audit committee at these companies indicative, by themselves, of a control deficiency. Likewise, the independence requirements of Securities Exchange Act Rule 10A-3 fn 2 are not applicable to the listing of non-equity securities of a consolidated or at least 50 percent beneficially owned subsidiary of a listed issuer that is subject to the requirements of Securities Exchange Act Rule 10A-3(c)(2). fn 3 Therefore, the auditor should interpret references to the audit committee in this standard, as applied to a subsidiary registrant, as being consistent with the provisions of Securities Exchange Act Rule 10A-3(c)(2). fn 4 Furthermore, for subsidiary registrants, communications required by this standard to be directed to the audit committee should be made to the same committee or equivalent body that pre-approves the retention of the auditor by or on behalf of the subsidiary registrant pursuant to Rule 2-01(c)(7) of Regulation S-X fn 5 (which might be, for example, the audit committee of the subsidiary registrant, the full board of the subsidiary registrant, or the audit committee of the subsidiary registrant's parent). In all cases, the auditor should interpret the terms "board of directors" and "audit committee" in this standard as being consistent with provisions for the use of those terms as defined in relevant SEC rules.
5. If oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee is ineffective, that circumstance should be regarded as at least a significant deficiency and as a strong indicator that a material weakness in internal control over financial reporting exists. Although there is not an explicit requirement to evaluate the effectiveness of the audit committee's oversight in an audit of only the financial statements, if the auditor becomes aware that the oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee is ineffective, the auditor must communicate that specific significant deficiency or material weakness in writing to the board of directors.
6. These written communications should include:
a. The definitions of significant deficiencies and material weaknesses and should clearly distinguish to which category the deficiencies being communicated relate.
b. A statement that the objective of the audit was to report on the financial statements and not to provide assurance on internal control.
c. A statement that the communication is intended solely for the information and use of the board of directors, audit committee, management, and others within the organization. When there are requirements established by governmental authorities to furnish such written communications, specific reference to such regulatory authorities may be made.
7. The auditor might identify matters in addition to those required to be communicated by this standard. Such matters include control deficiencies identified by the auditor that are neither significant deficiencies nor material weaknesses and matters the company may request the auditor to be alert to that go beyond those contemplated by this standard. The auditor may report such matters to management, the audit committee, or others, as appropriate.
8. The auditor should not report in writing that no significant deficiencies were discovered during an audit of financial statements because of the potential that the limited degree of assurance associated with such a report will be misunderstood.
9. When timely communication is important, the auditor should communicate the preceding matters during the course of the audit rather than at the end of the engagement. The decision about whether to issue an interim communication should be determined based on the relative significance of the matters noted and the urgency of corrective follow-up action required. In an audit of financial statements only, auditing interpretation 1 to AU sec. 325, "Reporting on the Existence of Material Weaknesses," continues to apply except that the term "reportable condition" means "significant deficiency," as defined in paragraph 9 of PCAOB Auditing Standard No. 2.