A lot can go wrong when outsourcing functions to a third party. For example, a security breach can leak customers’ private information, or a server can go down and leave critical transactions unprocessed, or fraud at the service organization could result in the customer’s financial statements being inaccurate.
The risks inherent in outsourcing make trust an essential component of the relationship between the organization that provides the outsourced services (service organization) and the user of the outsourced services (user entity). A new reporting framework rolled out in February by the American Institute of Certified Public Accountants (AICPA) is intended to shine a brighter spotlight on risks relating to the information technology a service organization uses to process user entities’ data and provide peace of mind that the service organization’s controls are protecting this sensitive information. The new Service Organization Control (SOC) framework gives outsourcing providers three options when it comes to attesting to their controls. (For a summary, see chart below) Deciding which option meets your needs requires understanding the risks posed by the outsourced service.
SOC 1: Reports on Controls Over Financial Reporting
SOC 1 reports are appropriate if the outsourced service is likely to pose a risk to the accuracy of the user entity’s financial statements. A medical billing company, for example, handles transactions that directly affect the accounting records of their medical practice clients.
Formerly known as Statement on Auditing Standards No. 70 (SAS 70) reports, SOC 1 reports are performed under the new attestation standard Statement on Standards for Attestation Engagements No. 16 (SSAE 16), which becomes effective for reporting periods that end on or after June 15, 2011.
A user entity is likely to request a SOC 1 report to provide vital information to its financial statement auditor. A company also might ask for a SOC 1 report to demonstrate good corporate governance, since safeguarding the integrity of financial information is one of the responsibilities of an organization’s board and management.
User entities might request one of two types of SOC 1 reports:
- Type I – A report on the fairness of the presentation of management’s description of the information system and the suitability of design of the controls as of a specified date.
- Type II – A report on the fairness of presentation and the suitability of design of controls, as well as the operating effectiveness of those controls over a stated period of time – usually not less than six months.
While there are a few circumstances when a Type I engagement is valuable, such as for a new company, most user organizations that request a SOC 1 report need the additional level of testing provided by a Type II report.
Unlike SAS 70, SSAE 16 requires management to provide a written assertion as to the reliability and effectiveness of internal controls. This requirement lays responsibility for those controls squarely on the shoulders of those who are in the best position to understand the risks — just as the Sarbanes-Oxley Act laid the responsibility for accuracy of financial statements on the shoulders of CEOs and CFOs of public companies.
Because a SOC 1 report contains detailed information about the service organizations’ proprietary systems and controls, it is intended to be used only by existing customers. This means that using the report as a marketing tool to attract potential customers is not appropriate.
SOC 2: Reports on Controls Over Operations and Compliance
There are many risks of outsourcing that don’t affect the user’s financial reporting. Instead, the outsourced services might affect the security, confidentiality, privacy, availability or processing integrity of the information system. These are considered operational and compliance risks, rather than financial risks.
While SSAE 16 is not designed to address those risks, another AICPA document – Trust Services Principles, Criteria and Illustrations – does provide guidance on them. While it addresses different subject matter (operational and compliance risks), a SOC 2 report provides the same level of detail as a SOC 1 report. As with SOC 1, either a type I or a type II report may be issued.
User entities might request a SOC 2 report to comply with privacy laws, such as the Health Insurance Portability and Accountability Act. In other cases, a SOC 2 report might help a user entity evaluate the effectiveness of controls as required by its governance processes.
Like a SOC 1 report, a SOC 2 describes proprietary processes, so it is restricted to existing customers of the service organization.
SOC 3: Trust Services Report
A SOC 3 report includes only the auditor’s report on whether the system achieved the Trust Services criteria. It does not include a description of the tests of internal controls and their results, nor does it include an opinion on management’s description of the system.
Because of the general nature of this report, it is appropriate for use by all current and prospective stakeholders of a service organization. A service organization may distribute the SOC 3 report to customers via a link on its website, and it can publicly display a seal designed by the AICPA specifically to market this report.
Selecting the Right Option
It is important that service organizations and user entities understand which type of SOC reporting option addresses the risks that pertain to them. In some circumstances, a user entity might request both a SOC 1 report and a SOC 2 report from its service provider. For example, the services offered by a software-as-a-service company might affect its customers’ financial reporting as well as the availability and processing integrity of the customers’ information system.
And the service provider might choose to obtain a SOC 3 report to share with prospective customers, while also obtaining a SOC 1 and/or a SOC 2 report to meet the needs of its current customers. The summary chart on the next page should help user entities and service organizations agree on the right option.
The AICPA has released guidance to help auditors and issuers implement each of these new standards and reports. For more information, visit AICPA.org.
Three Options for Service Organization Control Reporting