Service organizations are invaluable to the companies they serve and include such businesses as IT companies, payroll companies, third party administrators of benefit plans, collection companies and billing companies.
However, service organization customers and their auditors often require assurance that the service organization’s internal controls are appropriately designed and operating effectively to reduce the risk of a significant error, omission or data loss by the service organization.
Service Organization Control (SOC) Reports were designed by the American Institute of CPAs (AICPA) to provide that assurance.
Smart Business spoke with Rosemary Rehner, CPA, a Director at Barnes Wendling CPAs, about SOC reporting and how it works.
Why do service organizations obtain a SOC Report?
Service organizations seeking new customers and attempting to stay ahead of the competition can distinguish themselves by obtaining a SOC Report, which reduces customer audit time and effort. Service organizations often find their internal controls subject to inspection from their customers’ internal and external auditors.
The inquiries, checklists and visits can be repetitive and disruptive to operations by drawing significant personnel and resources away from the service organization’s mission. The extent and frequency of customer audits can be reduced with a SOC Report.
The SOC process results in the identification of missing or redundant controls that could put the business at risk or cost the service organization money. Service organizations are often required contractually by their customers to obtain and provide a SOC Report periodically, or it is requested during a customer audit.
What is the difference between a SOC 1 and SOC 2 report?
The SOC 1 Report was specifically designed for service organizations providing services that impact financial reporting for their customers.
For example, payroll companies process payroll transactions and provide reports to their customers who, in turn, use those reports to record transactions in their financial records. Therefore, the payroll company’s controls, or lack thereof, could impact the accuracy of the financial reporting of its customers.
The use of cloud computing, outsourced IT functions and other services that do not necessarily involve financial reporting have resulted in a need for an assurance report other than a SOC 1 Report. With this need in mind, the AICPA created the SOC 2 Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
SOC 2 Reports provide service organizations with the opportunity to obtain detailed examinations of internal controls other than those over financial reporting.
In a type 1 SOC Report (regardless of whether the report is a SOC 1 or SOC 2), a description of the service organization’s system and the controls designed by management are included. The independent accountant expresses an opinion on whether management’s description of its system is fairly presented and whether the controls included in the description are suitability designed.
In addition to the information contained in a type 1 report, a type 2 report contains an opinion from the independent accountant on whether the controls were operating effectively throughout the reporting period. In other words, for both type 1 and type 2 reports, the independent accountant will gain an understanding of the system and the internal controls.
In a type 2 report, the independent accountant then obtains evidence of the operation of controls throughout the period and concludes, based upon the testing, whether or not the controls were operating effectively during the reporting period.
How do you get started?
Preparing for a SOC engagement involves assessment of the current control environment, the design of controls and limited testing of the operating effectiveness of those controls. Consult with a CPA experienced in performing SOC engagements to help prepare for your first examination. ●
Insights Accounting is brought to you by Barnes Wendling CPAs