By Mitch Cuccias, Jonny Silver, and Beni Venkatesan
A System and Organization Controls (SOC) 1® report is an examination of a service provider’s controls that relate to financial reporting. Service providers hire auditors to conduct the SOC 1® Examination so that the final report may be distributed to the service provider’s customers, also known as user entities. The report provides these user entities with an understanding of the service provider’s controls, effectiveness of their controls, and controls that other parties are responsible for. When management of a user entity receives a SOC 1® report from its service organization, it is important that management tasked with the review, analysis, and interpretation is well-equipped and informed to perform an effective review, incorporating the results of that SOC 1® report into the internal controls at the user entity. To effectively review a SOC 1® report, the reviewer should be trained in, and knowledgeable of, all required content of a SOC 1® report. At a minimum, all SOC 1® reports include:
- Type of Report (Type 1 vs. Type 2; more details on this later)
- Opinion of the report
- Services provided
- Scope, timing, and subservice organization(s) (carve-out vs. inclusive—more detail on this follows later in this article)
- Control objective failures
- Control activity failures
- Complementary User Entity Control (CUEC) and Complementary Subservice Organization Controls (CSOC).
What the User Entity Should Understand About the SOC 1® Report
It is critical for user entities to obtain an understanding of their control environment. Specifically, user entities are responsible for understanding who their service organizations are, in addition to assessing/addressing the risks associated with outsourcing a service impacting financial reporting. To accomplish this, effective, frequent communication with the service organization is key.
The primary vantage point of this article is on SOC 1®, Type 2 reports, defined by Attestation Standard – Clarified (AT-C) 320 as a report on the “fairness of presentation, suitability of the design, and operating effectiveness of controls.” However, this article’s content could apply to all variations of SOC reports, such as SOC 1®, Type 1 or even SOC 2® reports.
While Type 1 and 2 reports are similar, differences exist when it comes to control reliance. A Type 2 report includes testing the effectiveness of the controls over the identified period that controls were in place, whereas a Type 1 does not incorporate testing of controls at all. In the AT-C 320 standards (section: definitions .08.c) both Type 1 and Type 2 SOC Reports include the following required language; however, the underlined text only applies to a Type 2 SOC Report:
“Management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design and operating effectiveness of controls.”
Accordingly, a SOC 1®, Type 2 report provides more assurance than a Type 1. A SOC 1®, Type 2 report includes the phrase: “controls operating effectivity over a [defined] period.” This phrase indicates a Type 2. For a SOC 1®, Type 1 report, the corresponding phrase is: “controls suitably designed as of a date.” This difference in language is an example of the need for user entity management to be well-versed and trained in reviewing the different types of SOC 1® reports.
Priority SOC 1®’s Report Elements for a User Entity Management Review
Generally, SOC reports are lengthy documents; therefore, it is valuable for the user entity’s management to know which sections are most applicable and important for their documented review and risk assessment. Below are key elements/sections that user entity management should prioritize in their documented review and risk assessment of SOC reports:
| What Management of the User Entity Should be Looking for within the SOC 1®’s Report | Why is This Important? |
|---|---|
| Opinion of the Report | Per AT-C 320 Standards .38, an unmodified opinion is the best indicator that controls stated within the report are operating as intended. A disclaimer opinion from the examination engagement could be an indicator of a “bigger” issue at the service organization. A qualified opinion is an indicator that controls assessed as part of the scope of the SOC 1® report are at failing state (either “control objectives” or “control activities”). An adverse opinion is an indicator that the auditor found severe control deficiencies that would materially impact and are pervasive across the service organization’s control environment. |
| Scope, Timing, and Subservice Organization | Per AT-C 320 standards .A20, the scope of the SOC 1® report is listed within the System Description (Section 3) and Service Auditor Opinion (Section 2). The scope will include the timing of the report, generally six to 12 months, and system examined based within the SOC 1® report, location of services, elements of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework1, adopted by AT-C 320 and to include: - Overall control environment - Risk assessment - Information and communication - Monitoring Subservice organizations are organizations the service provider uses to perform select services that are needed to meet commitments to user organizations. Section 3 of a SOC 1® report lists all relevant Subservice Organizations, as well as notes whether controls related at these service providers are “carved out” or “included” within the report (referred to as carve-out or inclusive methods). As services providers often opt for the carve out method due to scoping and cost, user entities should expect to see carve-out in most cases. Both methods have a direct implication of subservice organization involvement related to internal controls. Per AT-C 320.08: Carve-Out Method: Method of addressing the services provided by a subservice organization, whereby management’s description of the service organization’s system identifies the nature of the services performed by the subservice organization and excludes from the description and from the scope of the service auditor’s engagement the subservice organization’s relevant control objectives and related controls. Inclusive Method: Method of addressing the services provided by a subservice organization, whereby management’s description of the service organization’s system includes a description of the nature of the services provided by the subservice organization, as well as the subservice organization’s relevant control objectives and related controls. |
| Control Objective Failures | Per AT-C 320, a control objective is defined controls intended to mitigate the risk. For example, control objectives are stated as “controls that provide reasonable assurance that logical access is restricted to appropriate users.” Control objective failures are important because they can have major impacts on the overall opinion of the report, ranging from an unmodified opinion, modified, or even adverse. All the aforementioned opinions have implications on the control environment of the user entity; control failures can have no impact, some impact, or significant impact to the user entity. The user entity should consider and thoroughly document all controls within their risk assessment. |
| Control Activity | Control activities, as defined by AT-C 320, are individual controls that make up a control objective. Both control objective and control activity results are always summarized within Section 4 of the SOC 1® report. |
| Relevant CUECs and CSOCs | Per AT-C 320: Complementary User Entity Controls (CUEC): Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system Complementary Subservice Organization Controls (CSOC): Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management’s description of the service organization’s system. User entities should map all relevant CUECs, identified as part of their documented risk assessment, to their internal controls and determine if they need to include those subservice organization’s SOC reports as part of their formal review process to ensure coverage of their entire control environment. |
Lastly, management of the user entity responsible for the review of the SOC 1® report should be aware of common roadblocks surrounding SOC 1® reports, as well as how to make a risk-based decision for their own internal controls over financial reporting. Timely communication with service organizations will greatly reduce avoidable issues; common challenges comprise the SOC 1® report not being available or unexpected control failures at the service organization not being communicated until the end of the user entity’s fiscal year (FY). The considerations outlined in the below table should be implemented into the user entity’s “review of SOC 1® report procedure” to ensure the user entity has properly considered and mitigated its risks for services outsourced.
| Common Issue | Why is This Important? | Possible Solution |
|---|---|---|
| Redacted (e.g., partial Sections 1-4) SOC 1® report is provided to user entity | A redacted SOC 1® report is of little to no use to the user entity because it fails to meet its intended purpose of providing the user entity with an auditor opinion of the service provider’s controls and their effectiveness. | To compensate for redacted or untimely SOC 1® reports, user entities must evaluate the risk and implement compensating controls for gaps in assurance. |
| Untimely SOC 1® report (e.g., after the user entity’s FY has concluded) | An untimely SOC 1® report is of little use to the user entity, especially if control failures exist which may lead to untimely mitigations and audit findings for lack of assurance of controls within the FY. | The user entity may need to refine the ongoing communication with the service organization. |
| Multiple control objective or control activity failures are reported within the SOC 1® report | The user entity cannot rely on service organization controls; management at the user entity should fully understand how this situation impacts their control environment. | The user entity will need to assess the relevance of the control failures and may need to implement associated mitigating controls. The user organization should document the assessment and implementation of mitigating controls within the SOC review or other related risk assessment documentation. |
Outsourcing a financial process to a service organization often creates efficiencies. However, while controls can be outsourced, effective oversight and management of controls is always the responsibility of a user entity. When controls are managed by a third party, risk assessments must still be performed, information is still being processed, controls are still managed, and periodic communication must still occur. For these elements of internal control to be effective, knowledgeable personnel at the user entity should be carefully selected, undergo training, and fully understand the contents of a SOC 1® report.
Connect with Us
This publication is for informational purposes only and does not constitute professional advice or services, or an endorsement of any kind.
Kearney is a Certified Public Accounting (CPA) firm focused on providing accounting and consulting services to the Federal Government. For more information about Kearney, please visit us at www.kearneyco.com or contact us at (703) 931-5600.
1 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework