This 3-part blog’s focus is on Service Organization Reports – SOC 1, 2 and 3, one of Wolters Kluwer’s newest CCH ProSystem fx Knowledge Coach titles. Knowledge Coach is an integral part of the integrated audit approach, which also includes CCH ProSystem fx Engagement and CCH Accounting Research Manager. Check back tomorrow for part 2.
Examinations of Service Organizations – Statements on Attestation Standards No. 320 (AU-C 320), Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
Many entities outsource aspects of their business activities to organizations that provide services ranging from performing a specific task under the direction of the entity to replacing entire business units or functions of the entity. In addition, many of the services provided by such organizations are integral to their customers’ business operations. For example, some of these services include:
- Application Service Providers (ASP)
- Captive Providers
- Cloud Computing, Virtualization, On-Demand Computing Services
- Credit Card Processing Platforms
- Data Center and Co-Location Providers
- Internet Service Providers (ISP)
- Managed Services
- Medical Billing
- Online Fulfillment
- Payroll Services
- Print and Mail Delivery
- Rebate Processing | Online and Mail
- Registered Investment Advisors (RIA)
- Social Media | Content Tagging and Aggregators
- Software as a Service (SaaS)
- Tax Credit and Empowerment Services
- Transportation Services
- Third Party Administrators (TPA)
- Web Design, Development, and Hosting
User Entities and Responsibility
Firstly, a user entity is a business that engages the services of a service organization. Generally, when a user entity engages another business to perform processes or functions on its behalf, the user entity exposes itself to additional risks related to that business’ system. Management of the user entity can of course delegate tasks or functions to a service organization. However, a user entity cannot delegate the ownership and responsibility for the product or service provided. In other words, management of the user entity is usually held responsible by those charged with governance of the user entity, customers, shareholders, regulators, and others for establishing effective internal control over outsourced functions.
Therefore, to gain assurance that the service organization is properly processing the user entity’s transactions, service organizations engage service auditors to evaluate and measure their systems and services against suitable criteria and to opine on the acceptability of these systems and services. The user entity’s management, auditors, and customers then use these service auditors. Although, the reports provide a level of assurance that the transactions being processed are reliable, the service auditor’s report does not relieve management of the user entity of its responsibilities. While there are 3 types of service organization reports, this blog’s part-1 focuses on SOC 1.
SOC 1® Report – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
These reports (previously known as SAS-70 reports) are specifically intended to meet the needs of entities that use service organizations to perform functions related to financial reporting. There are two types of reports for these engagements. Furthermore, use of these reports is restricted to the management of the service organization, user entities and their auditors.
- Type 1 – Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 – Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
Learn more about all-in-one SOC Content today!