Your Guide to SOC Reports for Service Organizations

  • Reducing Risk
  • 10/25/2017

SSAE 18 offers one of the highest standards for internal controls and data security assurance.

Data security is a concern for customers of service organizations across all industries, but especially for companies that process financial transactions on behalf of others. If you maintain data that is not the responsibility of your organization, or are new to providing outsourced processing or managed services, how can you provide assurance to customers and prospects that your systems protect their data?

A good option to consider is a System and Organization Control (SOC) for service organizations report. A SOC report provides a detailed description of your service organization’s controls, and is intended to provide assurance to client user organizations that the control description is accurate; controls are suitably designed, and controls operated as intended during the reporting period.

If you are new to providing outsourced transaction or processing services, SOC might be unfamiliar to you. SOC reports replaced “SAS 70” and Statement on Standards for Attestation Engagements (SSAE) 16 and are prepared in accordance with SSAE No. 18.

What is a SOC report?

SOC reports are intended to provide client user organizations with reasonable assurance that controls within the service organization are accurately described, suitably designed and operating effectively based on the overall operating environment, including services provided and the types of data processed and maintained.

It is a standardized report that gives service providers a mechanism to deliver insight into the design and operating effectiveness of internal controls relevant to user entities (i.e., customers). There are three primary types of the reports:

  • A SOC 1 is related to internal controls that impact financial reporting or internal controls of the customers of the service organization.
  • A SOC 2 and SOC 3 is related to internal controls that impact system security or availability, processing integrity, confidentiality, or the privacy of customer data.

SOC 1 vs. SOC 2 vs. SOC 3

The first step in the SOC engagement is to establish what services will be reviewed and the type of report that will be issued. This will include identifying control objectives (SOC 1) or trust principles (SOC 2 and SOC 3). There are a number of factors that determine the scope and type of engagement that is appropriate for your situation, including:

  • Report usage: Who are the intended users of the report and what are their expectations? Will the report be used to support their internal controls on financial reporting? Are regulatory or contractual requirements involved? Are there concerns about the security or availability of data and services?
  • Service: Does the service have a financial impact on customers?
  • Sub-servicer: Do you rely on other service providers to deliver the service? What impact does the service provider have on the service and your customer? Does the service provider have a SOC report of its own?

Which SOC report type is right for you?

Your answers to each of these questions should help you determine the right report for your situation.

SOC Report Types
Will the report be used by your customers and their financial auditors to plan and perform an audit or integrated audit of your customer’s financial statements? Yes SOC 1 report
Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation? Yes SOC 1 report
Will the report be used by your customers or stakeholders to gain confidence and place trust in the service organization that systems are secure and data is protected? Yes SOC 2 or 3 report
Do you need to make the report generally available to entities that may not be familiar with your services? Yes SOC 3 report
Do your customers have the need to understand the details of the processing and controls at a service organization, the tests performed by the service auditor, and results of those tests? Yes SOC 2 report
No SOC 3 report

SOC approach

Readiness assessment

Once the scope of the engagement has been established, a service organization may decide to assess current internal controls to determine if they satisfy management’s control objectives or selected trust principle criteria. This would be accomplished through a review of existing procedural documentation, a walk-through of processes, and management interviews. Through this, internal controls would be analyzed to determine if they meet the control objectives or trust principle criteria. If controls are not adequate a remediation effort will be designed to close the control gap. At the conclusion of this phase, management will receive a report that identifies key controls for each control objective and criteria, and any necessary remediation efforts.

Remediation of control gaps

Two significant steps occur during the remediation phase:

  1. Remediation efforts are tracked and the noted control gaps are closed.
  2. Service provider will draft a system description that identifies processes and controls that deliver the services within the scope of the engagement. This description is the basis of the auditor’s opinion and will be included in the final report.

Validation to confirm that control descriptions are accurate

After remediating identified control gaps and drafting the description of controls, procedures are performed to validate that the description of controls are accurately worded and adequately designed. This is accomplished through a series of tests that confirm the controls have been implemented as designed. The successful result of these procedures is the issuance of a Type 1 SOC report with Service Auditors Opinion as of a specific date.

Testing to determine if the controls are operating effectively

To achieve the SOC report with an opinion related to operating effectiveness of controls, procedures are performed to determine if controls are operating effectively throughout the reporting period. This requires that control activities be tested throughout the specified period to determine compliance with the control design. Upon the completion of the testing procedures, a Type 2 SOC report with Service Auditors Opinion is issued providing assurance of control effectiveness for the specified reporting period.

How we can help

Completing a SOC examination is an important part of your overall risk management plan. The report provides your customers with assurance of your internal controls as a service provider. Perhaps the best outcome of these examination(s) is that you will gain insight into your own internal controls and know whether your controls are performing as expected.

View FAQs about SSAE 18, SSAE 16, and SAS 70.

Experience the CLA Promise