Service organization reports – Part 3 (SOC 3)

This is the last of a series on Service Organization Reports – SOC 1, 2 and 3. The related Knowledge-Based Examinations of Service Organizations is one of Wolters Kluwer’s newest CCH ProSystem fx Knowledge Coach titles. Part 1 of this series focused on SOC 1, and Part 2 focused on SOC 2. Part 3 will focus on SOC 3. Knowledge Coach is an integral part of the integrated audit approach, which also includes CCH ProSystem fx Engagement and CCH Accounting Research Manager.

SOC 3SM Report— Trust Services Report for Service Organizations

Not all users have the need for or the knowledge necessary to make use of a SOC 2 report. As a result, they can use a SOC 3 report. A SOC 3 report provides assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems used by a service organization to process users’ information, and the confidentiality, or privacy of that information.

While a SOC 1 report provides auditor-to-auditor communications, firms generally share SOC 2 reports only with restricted audiences. Conversely, a SOC 3 report is a general use report that would be relevant to current and prospective customers. Some firms use SOC 3 reports as a marketing tool to demonstrate that they have appropriate controls in place to mitigate risks related to security, privacy, etc.

In April 2016, the AICPA issued SSAE 18, Attestation Standards – Clarification and Recodification. SSAE 18 recodifies the “AT” section numbers originally designated by SSAE Nos. 10–17 using the identifier “AT-C” to differentiate the sections from the attestation standards that are superseded by SSAE No. 18. The “AT” sections remain effective through April 2017. By that time substantially all engagements for which the “AT” sections were still effective are expected to be completed. Consequently, as it applies to examinations of service organizations, SSAE 18 is effective for practitioners’ examination reports dated on or after May 1, 2017.

SSAE 18 Requirements

Practitioners performing examination engagements of service organizations are subject to the requirements of the following sections of the SSAE 18:

  • AT-C Section 105: Concepts Common to All Attestation Engagements. AT-C 105 defines the concepts that are common to all types of attestation engagements, including discussion of the overall objectives of attestations engagements; independence of the practitioner; acceptance and continuance of client relationships and engagements; pre-conditions for engagements; quality control responsibilities; documentation; and more;
  • AT-C Section 205: Examination Engagements. AT-C 205 contains performance and reporting requirements and application guidance for all examination engagements. The requirements and guidance in this section supplement the requirements and guidance in AT-C 105 and are also applicable to SOC 1, SOC 2, and SOC 3 engagements; and
  • AT-C Section 320: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. AT-C 320 contains performance and reporting requirements, as well as application guidance for a service auditor examining controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.

AICPA Guidance

In addition, if the practitioner is performing SOC 1, SOC 2, or SOC 3 engagements, he or she would also need to consider the guidance provided in the AICPA Audit and Accounting Guides:

  • Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1), or
  • Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2 and SOC 3).

In conclusion, Knowledge-BasedTM Examinations of Service Organizations reflects current authoritative literature including, SSAE 18, Attestation Standards: Clarification and Recodification); the 2011 Revision of Government Auditing Standards (GAGAS, or the Yellow Book); QC Section 10, A Firm’s System of Quality Control; and the revised AICPA Code of Professional Conduct (the Code), including the provisions of ET Section 1.295, Nonattest Services. This new toolset is designed to help reduce your firm’s costs by using CCH’s knowledge-based methodology. Knowledge-based audits focus engagements by using knowledge of the entity, subject matter, and criteria to make risk assessments and recommendations.

Learn more about all-in-one SOC Content today!


Denise Silva

All stories by: Denise Silva

Leave a Reply

Your email address will not be published.