System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations. The American Institute of CPAs has updated its System and Organization Controls. The new system includes the Reporting in an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, and Confidentiality or Privacy.
SOC for Service Organization engagements is the internal reports on the services provided by an organization through valuable information that users need to assess and address the risks associated with an outsourced service. It helps in bringing transparency to the system, allow users to have trust and confidence in the ability of the service organization to carry out its work.
SOC for Service Organizations: Trust Service Criteria
This side of the work of SOC targets those controls which are related to the security, availability, processing integrity, confidentiality or privacy of the organization. The reports which are generated from this point of SOC are required to meet the broad range of users who require detailed information and assurance about the controls at a service organization relevant to security and availability. These reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
However, it would consist of two types of reports:
- A report on the description of the management of a service organization’s system and the suitability of the design and operating controls.
- The second kind of report is about the management’s description of work and the design of controls.
SOC for Service Organizations: Information for CPAs
A CPA can be engaged to examine and report on controls at a service organization that are related to different types of subjects and matters. These subjects and matters include the controls that can affect the financial reporting and its various aspects and it also includes the controls that can affect the security and the integrity of the systems. The applicable attestation standard for such engagements may vary depending on the subject matter.
Overall, to streamline the process and to make the CPAs aware of the different standards to examine and report on controls at a service organization, the AICPA has developed different reporting controls for the organizations. But Let’s take a look at SOC 2.
Standard the Engagement Performed under SOC 2 Report
Different items can be listed here which can tell what different parts are being accessed and assessed and the standard of engagement is maintained. Some of those standards and sections which are being engaged are:
- Attestation Standards
- Clarification and Recodification (AT-C section 105)
- All Attestation Engagements and AT-C section 25
- TSP section 100
- 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
What are the contents of the Report Package?
The contents of the reports vary from organization to organization; however, some of the items are the same. The service organization’s system and the suitability of the design and operating effectiveness of the controls to provide reasonable assurance is part of it. Moreover, the organization’s service commitments and system requirements are also achieved and checked based on applicable trust service criteria.
It also contains an audit report of the service which explains whether it was presented in its true context and also in the accordance with the description criteria. Overall, the SOC -2 covers the trust criteria of services and this is why everything focuses on the point of trust, the availability and the suitability of any services.