43
What are the characteristics of SOC for Service Organizations engagements?
SOC for Service Organizations engagements include:
• SOC 1® - SOC for Service Organizations: ICFR (performed in accordance with
AT-C section 320, Reporting on an Examination of Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial Reporting
and the AICPA Guide Reporting on an Examination of Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial Reporting
(SOC 1®))
• SOC 2® - SOC for Service Organizations: Trust Services Criteria (performed
under AT-C section 205, and the AICPA Guide SOC 2® Reporting on an
Examination of Controls at a Service Organization Relevant to Security,
Availability, Processing Integrity, Confidentiality, or Privacy)
• SOC 3® - SOC for Service Organizations: Trust Services Criteria for General
Use Report (performed under AT-C section 205 and the AICPA Guide SOC 2®
Reporting on an Examination of Controls at a Service Organization Relevant to
Security, Availability, Processing Integrity, Confidentiality, or Privacy)
SOC 1 Engagements
The purpose of the report in a SOC 1 engagement is to provide management of the
service organization, user entities and the independent auditors of user entities’ financial
statements with information and a service auditor’s opinion about controls at a service
organization that are likely to be relevant to user entities’ internal control over financial
reporting. The report enables the user auditor to perform risk assessment procedures
and, if the report is a type 2 report, to use the report as audit evidence that controls at the
service organization are operating effectively. A SOC 1 report is a restricted-use report,
intended for use by user entities of the service organization and their financial statement
auditors. SOC 1 engagements should not be used for reporting on controls over subject
matter other than financial reporting. SOC 1 engagements are required to be
examinations, are subject to a System Review and are must-select engagements.
SOC 2 Engagements
The purpose of the report in a SOC 2 engagement is to provide service organization
management, user entities, business partners and other specified parties with information
and a service auditor’s opinion about controls at the service organization relevant to
security, availability, processing integrity, confidentiality or privacy. Many entities
outsource tasks or functions that are unrelated to financial reporting to service
organizations. SOC 2 reports are intended to meet the needs of a broad range of users
that want to understand internal control at a service organization as it relates to the
security, availability or processing integrity of the service organization’s system, or the
confidentiality or privacy of the data processed by that system. These reports may be
restricted in use but are intended for use by stakeholders (e.g., customers, regulators,
business partners, suppliers, directors) of the service organization that have a thorough
understanding of the service organization and its controls. Similar to SOC 1
engagements, SOC 2 engagements provide for both Type 1 and Type 2 reports. Unlike
SOC 1 engagements, the primary users of SOC 2 reports generally are not user auditors