Many U.S. companies receive SOC 1 reports, which were previously referred to as SSAE 16 reviews, and SOC 2 reports from certain types of vendors/service organizations. SOC 1 reports and SOC 2 reports are both attestation engagements governed by the AICPA. SOC 1 reports focus on a service organization’s controls that impact the user entity’s internal controls over financial reporting and are typically used in support of the audit of a client’s financial statements. These reports are typically issued once a year in the late fall. SOC 2 reports focus on a service organization’s controls relevant to the Trust Services Criteria (TSCs) issued by the AICPA.
While most organizations do a good job of recognizing the need to request these reports from the service organizations they use, often the SOC reports are not properly reviewed and evaluated when received. So, what do you do with the SOC report once it has been received other than give it to the internal and external auditors?
What is the Purpose of a SOC Report?
Before we dive into how to review SOC 1 (f. SSAE 16) and SOC 2 reports, let’s first discuss the purpose of a SOC report and go over some common questions users have. In general, the purpose of a SOC report (SOC 1 or SOC 2), is to provide the user entities of a service organization with information regarding the systems and internal control environment at the organization and if the controls in place, relevant to user entities, are designed and operating effectively.
Many Users Ask if a SOC 1 (f. SSAE 16) is the Same as a SOC 2 Report.
The answer to that is: No. A SOC 1 report was previously referred to as an SSAE 16 review and there are distinct differences between a SOC 1 and a SOC 2. A SOC 1, as mentioned above, focuses on the controls at a subservice organization that impact a user entity’s internal control over financial reporting. An example subservice organization that would have a SOC 1 report is a payroll processing company. The controls a payroll processing company has in place to process their user entity’s payroll will impact the user entity’s internal controls over financial reporting. The payroll processing company’s SOC 1 report would most likely include control objectives related to their payroll processing system and general information technology processes.
So what is a SOC 2 report? A SOC 2 report focuses on non-financial controls, specifically on controls relevant to the TSCs. There are five TSCs that can be included in a SOC 2 report:
The service organization’s system or services and the controls in place are evaluated to determine whether the service organization is meeting the criteria in scope for the report.
Why Do We Review SOC Reports?
SOC reports can be reviewed for many reasons but many user entities request SOC reports from their subservice organizations to use in support of their financial statement audit, especially SOC 1 reports. User entities typically provide SOC reports to their external and internal auditors in order for them to determine whether controls in place at the service organization were designed and operating effectively and if there were any issues that could have impacted the user entity’s systems or control environment. Typically, external or internal auditors will use a SOC report review checklist to highlight the key information presented in the report and to determine how the user entity’s environment is impacted by the results of the audit.
SOC reports can also be reviewed by the user entity themselves to determine whether the service organization is meeting service commitments and requirements. In many cases, user entities are unsure of how to review a SOC report as they do not have a SOC review checklist or the background that their internal and external auditors have. In the remainder of this post, we will cover critical areas for review in a SOC report if you are performing one and are unsure of what you should be looking for.
What Should I Look For When Reviewing a SOC (SOC 1 or SOC 2) Report?
If you are a user entity trying to review a SOC report and don’t have a SOC review checklist or the help of internal/external auditors, the following are suggestions for reviewing SOC 1 (f. SSAE 16) and SOC 2 reports:
- Report Scope: Many service organizations issue multiple SOC 1 and SOC 2 reports for the various products and services they offer. Review the title and system description to determine whether the report is in support of the product your organization is using.
- Report Period: More than a few service organizations try to pass off old reports as current reports. Make sure you are provided with the current SOC report. Additionally, make sure the time period covered by the report meets your needs. Does the testing performed cover the design and operating effectiveness of the controls over a period of time (Type II) or a point in time (Type I)? If the report timing doesn’t provide you with the coverage you require, ask the service organization about it. They may be able to provide you with a bridge letter to cover a portion of your period that isn’t included in the report.
- Service Auditor: The name of the service auditor issuing the SOC report is typically located in Section I of the report. Do some research on the service auditor issuing the report and determine whether they are a reputable CPA firm. Good resources to review are the AICPA’s website, where peer review reports can be found, and the website of the state accountancy board, such as the Colorado Department of Regulatory Agencies – DORA. If you don’t find any information on the service auditor after performing a search on these or related sites, discuss your concerns with the service organization.
- Auditor Opinion: In the first section of the report, the opinion of the service auditor can be found. There are four types of audit opinions that could be used in a SOC report. The opinion will outline the scope of the report and whether the report has a qualified, unqualified, adverse, or disclaimer of opinion. If the report has a disclaimer of opinion, adverse opinion, or qualified opinion, your organization will need to evaluate how this impacts your reliance on the report and the services provided to you by the service organization.
- Management’s Assertion: Management is required to include their written assertion in the report stating the report’s accuracy. In some instances SOC reports are being issued without a management assertion or the content of the management assertion differs from the auditor’s opinion. If it’s missing or opinions differ, a conversation with the service organization is warranted.
- Location: Service Organizations often have multiple locations, which is to be expected in the global economy. Make sure the report and audit testing covers the locations in which the service organization is performing services for your company. The locations covered can often be found in the system description of the report, if it is not obvious, ask the service organization to clarify.
- Processes, People, & Systems: The processes, as well as the people and systems that support the processes, should be adequately described in the report. Make sure there is sufficient detail so you can understand what the service organization is doing and what they are not doing. If a key process (eg, information security) is not described in the report, ask the service organization about it.
- Subservice Organizations: In some instances, a service organization relies on a subservice organization to provide a portion of its services to the user entity. If a subservice organization is being used, determine whether the carve-out method or inclusive method is being used. If the carve-out method is being used, the services provided by the subservice organization and the related controls over the services provided are not included in the scope of the SOC report. If this is the case, you may need to request a SOC report from the subservice organization if the services they provide are material to your evaluation of the control environment. If the inclusive method is being used, the services provided and the controls at the subservice organization level are included in the scope of the SOC report. If any questions arise regarding the subservice organization, the services they provide, and what is being covered in the report, clarify with the service organization.
- Complementary User Entity Controls (CUECs): Complementary user entity controls (CUECs) are controls the service organization is not responsible for, that the user entity should have in place when utilizing the system or services provided. When reviewing a SOC report, the organization needs to review the CUECs to determine whether the controls listed are relevant to them and if so, if they have the controls listed in place and operating effectively. Most SOC reports have CUECs listed within them.
- Testing Procedures and Results: Based on whether the SOC report you are reviewing is a Type I or Type II report, you will need to review the extent of testing performed and determine if it is sufficient to meet your organization’s needs. The controls tested, the description of the testing performed and the results of the testing can generally be found in Section IV of the report. Review any findings/issues identified, including how they were mitigated and/or remediated, and determine how they impact your organization. It is common for SOC reports to have findings, so don’t panic if the one you are reviewing does. What is important is to determine if the findings impact the services provided to your organization or your organization’s control environment.
In this blog post, we covered the basic purposes of SOC reports and why they are reviewed, and what to look for when you are performing a SOC 1 and SOC 2 report review. There are different concerns to consider when reviewing a SOC report and the lens through which you review your SOC report should reflect the coverage you need to obtain for your organization.
Often, dialogue with the service organization is required in order to clarify any questions regarding the scope and results of the report. Reviewing the report yourself, rather than just passing it off to the internal and external auditors, is important in order to understand the services being provided, the effectiveness of the service organization’s controls, and how it impacts your organization.
Linford & Company is a CPA firm that specializes in various audits, including SOC 1 and SOC 2 audits, and other auditing services. If you have further questions on what a SOC audit entails, please review our page and contact us to see how we can further assist you and your organization.
This article was originally published on 10/24/2018 and was updated on 10/27/2021.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.