Informe Soc 1
Content
Guide to understanding
Service Organization Control
(SOC) 1 reports
Authors: Orus Dearman, Director, Business
Advisory Services and Brett Williams, Partner,
Business Advisory Services
A user entity’s perspective
Until recently, the perception in
the marketplace was that a service
organization should provide a useful
report surrounding its controls to its
customers and customers’ auditors
through the issuance of a SAS 70 report.
Within the last year, the AICPA has
issued clarification to the marketplace
relating to the standards available to
service organizations under which a report
may be issued to customers and other
stakeholders. First, the AICPA issued
Statement on Standards for Attestation
Engagements (SSAE) No. 16 to replace
guidance within SAS 70 relating to service
auditor reports related to controls over
financial reporting. This standard became
effective for reports with a reporting
date ending after June 15, 2011. Further,
the AICPA clarified reporting options
available to service organizations to
communicate to their customers and
prospective customers certain operational
controls relating to the Trust Services
Principles. The communiques are in the
1
form of Service Organization ControlSM
(SOC) 2 or 3 reports. The three types
of SOC reports may be summarized as
follows:
• SOC 1SM (The subject of this guide)
addresses, consistent with SAS 70
reports, internal controls that are
relevant to a user entity’s internal
control over financial reporting.
• SOC 2SM addresses reports on
controls related to the joint AICPA
and Canadian Institute of Chartered
Accountants Trust Services
Principles and Criteria, which
include a description of the service
organization’s system, and for a Type
II report, a description of the tests of
controls and related test results by the
service auditor. These Trust Services
Principles include security, availability,
processing integrity, confidentiality
and privacy.
• SOC 3SM addresses applicable
Trust Services Principles (just as
with a SOC 2 report) but without
a lengthy description of the service
organization’s system, and for a Type
II report, without the detailed tests of
controls and related test results.1
Service Organization Control, SOC 1, SOC 2 and SOC 3 are proprietary service marks of the AICPA, which reserves all rights.
Understanding and deriving value
from a SOC 1 report
When it comes to understanding SOC
1 reports, the age-old maxim “There
are no dumb questions except those not
asked” has never been more applicable,
particularly in consideration of the new
standard. But finding the right balance
between asking too many questions and
not asking enough can be a challenge.
Either we ask too many uninformed
questions and subject ourselves to being
taken advantage of, or we do not ask
enough questions and run headfirst into
the proverbial brick wall, stand up, rub
our heads and say, “I meant to do that.”
By obtaining a basic level of understanding
of how to read a SOC 1 report, you can
place yourself in a situation where you ask
smart questions and can ultimately achieve
greater insight into your service provider’s
business.
SOC 1 reports, by design, are a means
of auditor-to-auditor communication,
but service organizations also use
them as service provider-to-customer
communication. The auditors of the
service organization’s customers may
use the report in planning their audit
as it pertains to their understanding
and evaluation of the design of internal
control over financial reporting. Service
organizations’ customers themselves may
use the report to help them understand
Guide to understanding Service Organization Control (SOC) 1 reports
the controls the service organization has
designed and implemented. They may
use it, as well, to design and implement
controls within their own environment
to complement the controls of their
service provider.
With this in mind, the ability to
identify the rudimentary truths and
effectively use the information contained
in a SOC 1 report becomes a requirement
for understanding its implications to a
user entity’s (customer’s) overall control
environment and control activities.
Nonauditors are often left wondering how
to discern this information in the midst of
all of the “auditorspeak” included within
these reports. Our objective with this guide
is to help you learn how to read a SOC 1
report and determine how it can help you
gain more knowledge and develop insight
into your service organization’s business.
Key definitions
•
•
•
•
•
Service organization or service provider: Organization providing the outsourced service
Subservice organization: Organization used by service organization to provide third-party services to
the service organization
Service auditor: Auditor performing a SOC 1 examination of the service organization’s controls
User entity: Organization receiving the outsourced service
User auditors: External auditors of the user entity
III. Description of the system, which is
provided by the service organization
to describe, among other things,
the services, the overall control
environment, and the control
objectives and controls related to the
system being examined
IV. Service organization control
objectives and related controls, and
the independent service auditor’s tests
of controls and results of tests (Type
II only)
V. Supplemental material provided by
the service organization
SOC 1 report basics
Similar to SAS 70 reports, SOC 1 reports
come in two forms: Type I and Type
II. While both reports cover the fair
presentation of the description of the
system and the suitability of the design
of the controls related to the control
objectives stated in the description, a
Type I report covers a point in time,
while a Type II report covers a period
of time. A Type II report also addresses
the operating effectiveness of controls
throughout the specified period. Most
service organizations request a Type II
report because it is most useful to their
user entities and auditors.
SOC 1 reports generally include the
following, which may be included in
different sections of the report:
I. The independent service auditor’s
report (the “opinion”)
II. Management’s written assertion,
which may also include a subservice
organization’s assertion
I. Independent service auditor’s report
(opinion)
The opinion section of the SOC 1 report
provides legitimacy to the overall SOC 1
report. This section describes the scope of
the examination and articulates the service
auditor’s opinion on the results. This
section provides a lot of information in a
small amount of space.
The first thing you need to determine
is whether the SOC 1 report addresses the
service organization’s activities that are
relevant to your organization. Typically,
the first paragraph of the service auditor’s
report explains, at a high level, the
scope of the examination. Pay particular
attention to whether the report excludes
certain locations, products and/or services
that might be of importance to your
organization. The full description of the
system is provided by management in a
separate section of the report.
Trends impacting use of SOC 1 reports
•
•
•
Increasing amount of outsourced activities
Growth of outsourced service providers
including the following:
– Payroll functions
– Accounting functions
– Third-party retirement plan administrators
– Third-party health care administrators
Increasing regulation, such as the
Sarbanes-Oxley Act of 2002, which includes
reporting on the effectiveness of internal
control over financial reporting
Second, the service auditor’s report
may not cover services provided by the
service organization’s own third-party
service providers (referred to as subservice
organizations). For example, a service
provider may outsource its data center
to a subservice organization. Frequently,
the scope of the report will not include,
as part of the examination, the relevant
description and controls at the subservice
organization. The service auditor’s report
states whether the controls at subservice
organizations are included (often referred
to as the inclusive method) or excluded
(often referred to as a carve-out) from
the examination. Below is an example of
carve-out language in an opinion:
“Example service organization uses ABC
Computer subservice organization to
perform aspects of its computer processing.
The description of the system in section
III of this report includes only the control
objectives and related controls of Example
service organization, and excludes the
control objectives and related controls at
ABC Computer subservice organization.
Our examination did not extend to
controls at ABC Computer subservice
organization.”
2
Guide to understanding Service Organization Control (SOC) 1 reports
If subservice organizations are excluded
from the examination, you need to assess
the risks posed to your organization
related to the services provided by these
subservice organizations. If you deem one
or more of these subservice organizations
important to your organization, you need
to determine how you are going to gain
comfort with that organization’s controls
in any of the following ways:
• Obtaining a separate SOC 1 report
from the subservice organization
• Conducting your own review of the
controls in place at the subservice
organization
• Requesting your service organization
expand the scope of its SOC 1
report to include the subservice
organization(s) in future reports
• Your external auditor may have to
conduct specific procedures related to
the controls in place at the subservice
organization(s)
Third, you need to determine whether
the SOC 1 report is a Type I or a Type II
report. The biggest difference between a
Type I and a Type II report is the opinion
on operating effectiveness. This opinion
is provided only for a Type II report.
Most service auditors will request a Type
II report because it covers controls that
were in place and operating for a period
of time. Because the Type II report covers
a period, it also includes a description of
significant changes to the system during
that period. The Type I report is as of a
specific date.
Key difference: Type I vs. Type II
•
A Type I report does not include testing or an
opinion related to the operating effectiveness
of controls over a specified period of time.
Example opinion language
1. “The description fairly presents the
system (e.g., the description of the
relevant controls of the Company)
that was designed and implemented
throughout the period January 1, 2011,
to December 31, 2011.” (Note: A Type
I report is for a point in time.)
2. “The controls related to the control
objectives stated in the description
were suitably designed to provide
reasonable assurance that the control
objectives would be achieved if
the controls operated effectively
throughout the period January 1, 2011,
to December 31, 2011.” (Note: A Type
I report is for a point in time.)
3. “The controls tested, which were
those necessary to provide reasonable
assurance that the control objectives
stated in the description were achieved,
operated effectively throughout the
period January 1, 2011, to December
31, 2011.” (Note: This opinion is
applicable only to a Type II report.)
If the above statement (3) is absent from
the report, you are reading a Type I
report; its value to your organization is
rather limited because it does not offer any
assurance that the controls were operating
effectively over a specified period of time.
Key questions to ask yourself
•
•
•
•
Scope: Does the report address the service organization’s activities relevant to your organization?
Subservice organizations: Does the report include or exclude the controls at important subservice
organizations?
Type I vs. Type II: Is the report a Type I or a Type II report?
Period: Does the period examined satisfy the requirements of your organization and your external auditor?
Fourth, you may also find modified
language within the service auditor’s
opinion that identifies exceptions to either
the design of controls, the presentation of
the system, or the operating effectiveness
of controls due to matters encountered
during the service auditor’s examination
and testing. Modifications to the standard
opinion language are indicative of issues
large enough that the service auditor
believes they may have a significant effect
on the reliance the user organization
and user auditor may place on the
related controls. However, despite the
inclusion of this language, a reader still
needs to review the entire report to
determine whether the matters identified
in the opinion and any other exceptions
identified in the service auditor’s
description of tests of controls and related
results affect your services. For example,
if the affected control objective is not
applicable to you, the user entity, either
because your organization does not use
that service or because you have other
controls in place at your organization
to mitigate the risk associated with that
exception, then you may not be negatively
impacted by the exception and the related
modification made to the opinion by the
service auditor.
We would also mention that the
“Information provided by the service
auditor” section of the report discloses any
exceptions to specific control activities,
even when such exceptions do not
result in the failure to achieve a specific
control objective. Such exceptions are not
always included in section I (the service
auditor’s opinion section) of the report.
However, because each user of the service
organization’s services may have slightly
different risks, or may rely upon the
service organization for different controls,
it is important to carefully review section
IV of the report, which details the service
3
Guide to understanding Service Organization Control (SOC) 1 reports
auditor’s testing of specific controls and
any exceptions noted. It may be that the
exceptions noted are more impactful to
one user entity than to another. So again,
you must understand what risks you need
to address in order to properly evaluate
the content of the SOC 1 report as it
applies to your organization.
II. Management’s assertion
For SOC 1 reports, management is now
required to include a written assertion
to accompany the service auditor’s
opinion. Management’s assertion may
be in a separate section of the report or
included in the section containing its
description of the system. If a subservice
organization is included within the scope
of the examination (inclusive method),
the subservice organization would also
provide a written assertion to be included
within the SOC 1 report. This essentially
means that the service auditor’s tests of
controls were extended to the subservice
organization.
Management’s written assertion
covers the following:
• The fair presentation of the
description of the system
• The suitability of the design of
controls and verification that they
were implemented as of a specific date
(Type I) or throughout the period
(Type II)
• The operating effectiveness of controls
throughout the period (Type II)
• The relevant changes to the system
throughout the period (Type II)
Management’s assertion is based on several
criteria that are outlined in SSAE 16.
Criteria are basically the standards and
benchmarks used to measure and evaluate
the service organization’s controls.
It is possible that due to issues
or exceptions that have come to
management’s attention, management’s
assertion letter is modified such that
“except for” or other exclusionary
language is added by management to the
letter. Further, it is possible that the service
organization may try to omit or clarify
certain criteria from the description criteria
outlined by the AICPA relative to the
services it provides. It is therefore critical
to read the management assertion letter
carefully and ensure that you understand
the description criteria that apply to the
service organization and that you are
aware of management’s opinion relative to
the scope of the SOC 1.
You should also be aware of controls
that management has included within its
system, and that support the achievement
of control objectives or description
criteria, that need to be performed by the
user entity. In some cases, management
of the service organization assumes that
certain controls will be implemented
by the user entity. These are commonly
referred to as complementary user
entity controls; they are described in the
description of the system. The control
objectives stated in the description can
be achieved only if these complementary
user entity controls are suitably designed
and operating effectively, along with
the controls at the service organization.
Key points related to the service auditor’s
report
•
•
•
•
Generally, controls must be in place for a
minimum of six months in order for the service
auditor to opine on operating effectiveness
(Type II).
Scope is defined by the service organization,
not the service auditor.
Control objectives and related controls are
defined by the service organization, not the
service auditor.
Generally, only exceptions that result in the
failure to achieve a control objective are
disclosed in the service auditor’s opinion/report.
The service auditor does not evaluate
the suitability of the design or operating
effectiveness of complementary user entity
controls, but management’s assertion
includes its assessment as to whether such
controls are needed.
III. Service organization’s description
of the system (written by service
organization management)
A SOC 1 report includes the service
organization’s description of the system.
Generally, this section should, at a
minimum, include a description of the
following:
• Services provided
• Description of the control
environment, risk assessment,
control activities, information and
communication, and monitoring
(e.g., the Committee of Sponsoring
Organizations of the Treadway
Commission elements)
• Procedures by which services are
provided, transactions are accounted
for and related accounting records
Key points related to management’s assertion
•
•
•
•
Management’s written assertion is now required, so you should expect to see it within the report.
If the inclusive method is used for a subservice organization, its written assertion should also be included
within the report.
Pay attention to management’s declarations, particularly when management indicates the system is fairly
presented, suitably designed or operating effectively “except for” certain matters.
Also consider the need to implement complementary user entity controls at your organization.
4
Guide to understanding Service Organization Control (SOC) 1 reports
• Capture and address of significant
events other than transactions
• Report preparation process
• Control objectives and related controls
• Complementary user entity controls
• Control activities and monitoring
controls
• Subservice organization controls
Key points related to management’s assertion
•
•
•
Key points related to complementary user entity controls
•
There should be sufficient information
provided so that the user entity can
understand how the service organization’s
processing relates to user entities’ financial
reporting. This section should also provide
a description of the IT environment,
including which systems are in use, and
the related IT general computer controls
(ITGC) and objectives. ITGCs should
include controls related to logical and
physical access, program change control,
operations and relevant application
controls. Contingency planning, such as
disaster recovery or business continuity
plans, should not be included within this
section because a “plan” or “forwardlooking statement” cannot be a control. If
a service organization chooses to include
this type of information, it would be
found in section V of the report under
supplemental material provided by the
service organization.
An important component of the
information provided by the service
organization is a section addressing
complementary user entity controls.
This section of the report should not
be overlooked. It describes the control
activities that the service organization
expects to be in place at the user entity
(your organization). These controls can
be critical to the design of the service
organization’s controls and the assessment
of the suitability of the design of controls
to achieve the stated control objectives.
Management’s description of controls may include control activities that are “out of scope” and not tested
by the service auditor.
Control objectives and related controls are defined by the service organization, not the service auditor.
Complementary user entity controls are identified by the service organization.
•
•
The user entity (your organization) is responsible for ensuring that complementary user entity controls are
in place and operating effectively.
The service auditor does not opine on the operating effectiveness of these controls.
You need to be sure that the service organization provides you with the necessary information, if under its
custody, for your organization to execute the stated controls.
The service auditor does not perform
test procedures to determine operating
effectiveness of the controls identified
as complementary user entity controls.
Rather, the user entity is responsible
for ensuring that the stated controls are
in place and operating effectively. You
also need to evaluate whether or not the
stated user entity controls apply to your
organization.
As an example, assume that a service
organization administers application
security access for your organization.
The service organization may include
the following control activity as a
“complementary user entity control”:
“The user entity will review logical security
access no less than quarterly and notify
the service organization of any additions,
deletions and/or changes to security access
that need to be made.”
support from the service organization.
For example, it may be the user entity’s
responsibility to obtain from the service
organization the necessary information to
conduct the stated review.
IV. Control objectives, control activities
and tests performed
Typically, the control objectives and
related control activities specified by the
service organization, the description of
control tests performed by the service
auditor, and results of those tests are
presented in a tabular format within a
separate section of the report. Before you
even begin to read this section, formulate
your own list of control objectives and
control activities you think are critical
to your internal controls. Then you can
perform a “gap analysis” by mapping
those control objectives and activities to
the SOC 1 report.
This complementary user entity control
is highlighting that it is the user entity’s
responsibility to ensure that a quarterly
access review is completed and includes
the attributes named. With that being
stated, it may not be possible for a user
entity to conduct this review without
5
Guide to understanding Service Organization Control (SOC) 1 reports
In accordance with professional
standards, a service organization should
not purposefully exclude from the
report control objectives and/or control
activities they know are relevant to a
user organization’s internal control
over financial reporting. Unfortunately,
this situation sometimes occurs. In
our experience, the following list
represents some of the situations we
have encountered wherein a service
organization has requested the removal
of a control objective or control. Some of
these are legitimate, while others are not:
• The controls may not be implemented
or operating effectively to achieve
the related control objective. (Not an
appropriate reason under SSAE 16
unless disclosed in the service auditor’s
opinion and management’s assertion)
• A control objective and related
controls may be specific to only one
(or a few) of the service organization’s
clients (customers), and the service
organization wants the SOC 1 report
to apply to the majority of its clients
(customers). (Normally considered an
appropriate reason under SSAE 16)
• A control objective and related
controls may not be operating at
the service organization because the
related activities are outsourced to a
subservice organization. (Normally
considered an appropriate reason
under SSAE 16 as long as appropriate
disclosures are included within the
report)
• A control objective and related
controls may be totally dependent
upon the user entity (your
organization). (Normally considered
an appropriate reason under SSAE 16)
• A control objective and related
controls may be too costly to include.
(Not an appropriate reason under
SSAE 16 unless disclosed in the service
auditor’s opinion and management’s
assertion)
As you review a SOC 1 report, be sure
that the control objectives and control
activities included address risks that are
important to your organization and
are adequately addressed by the SOC 1
report. If not, consider the completion of
additional procedures, including a visit to
the service organization to conduct your
own evaluation of the gaps, or engagement
of a public accounting firm to conduct an
“agreed-upon procedures” engagement to
test the controls you believe are relevant
but were excluded from the SOC 1 report.
Also, you should read the control
objectives and control activities carefully
and against the backdrop of your
relationship with the organization. Even
if a control objective was achieved and no
exceptions were noted by the independent
auditor, you still maintain responsibility
for comparing the work performed
against your expectations. You need to
be sure the control objectives and control
activities seem suitable or adequate to your
organization’s needs. Control objectives
and related controls may be written so
narrowly that your expected control is not
really addressed in the SOC 1 report.
For example, you may find a control
such as the following: “Logical access
granted to employees of the service
organization is approved by the supervisor
of computer operations.” Further, you
see that the independent auditor tested the
control and reported no exceptions.
However, note that the control activity,
as stated, addresses only access granted to
“employees of the service organization.”
What about controls related to access
granted to “non-employees” (e.g.,
contractors, subservice organizations,
temporary staff and employees of the
clients/customers)? Also, are you satisfied
that the individual (i.e., supervisor
of computer operations) authorized
to approve logical access to your
environment is appropriate?
When reading the description of
tests performed by the service auditor,
be sure that you are comfortable with
the testing that was performed. Typical
methodologies applied to testing are:
• inquiry,
• inspection,
• observation, and/or
• re-performance.
Be sure that the applied testing
methodology is appropriate for the stated
control. Pay special attention to tests
where inquiry was the only test procedure
performed. Typically, inquiry should not
be the only method applied to testing
controls. This is especially true when the
auditor’s report covers a period of time.
Ideally, controls tested via inquiry should
also be tested via at least one other testing
method (e.g., inspection, observation
and/or re-performance).
Key points related to control objectives, control activities and tests
•
•
•
Control objectives and control activities are specified by the service organization, not the service auditor.
You should determine the types of control objectives and related control activities that are relevant to your
organization to identify any “gaps” between your needs and the SOC 1 report.
Evaluate and discuss “gaps” with the service organization, and take appropriate action to gain comfort that
the controls at the service organization are adequate.
6
Guide to understanding Service Organization Control (SOC) 1 reports
When reviewing the results of the service
auditor’s tests, it may be important to
perform a self-assessment of the test
results. For example, as you review
the test results relating to a particular
control and note an exception, look for
the service auditor’s comments relating
to that exception, and then apply your
own experience and knowledge. And do
not forget that a service organization can
fulfill the requirements for and receive
an “unqualified opinion” (all control
objectives were achieved) even though
the service auditor identified exceptions
during the test of controls. You may
want to discuss the exception(s) with the
service organization and/or consider the
effectiveness of any mitigating controls
that may or may not be a part of the
SOC 1 report.
Finally, management is normally
requested to respond to each exception
noted in the SOC 1 report. You should
read management’s responses and decide if
you are satisfied with its response. Ideally,
management’s response will include a
remediation plan. The service auditor
renders no opinion on management’s
response.
V. Supplemental information from the
service organization
Contact information
Orus Dearman
A separate section of the report may
include additional information that the
service organization wants to disclose
but that is not subject to the procedures
performed by the service auditor. Items
such as a disaster recovery plan, a business
continuity plan or a strategic plan may be
included within this section. It is important
to note that the service auditor does not
express an opinion or provide any assurance
on such additional information.
Director, Business Advisory Services
T 703.637.4133
E [email protected]
Brett Williams
Partner, Business Advisory Services
T 404.475.0015
E [email protected]
Conclusion
The author Henry David Thoreau
pointed out, “It takes two to speak the
truth — one to speak and the other to
hear.” By taking the time to read and
understand the information provided in
a SOC 1 report, you will have the ability
to obtain incredible insight into your
service provider’s internal controls. Use
this guide to empower yourself to find
the information and answers you need
to make sound decisions, and actively
participate in protecting your organization
when dealing with outsourced service
providers.
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries.
Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms
are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at www.GrantThornton.com.
Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information on the issues discussed, consult a Grant Thornton
client service partner.
© Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd
7
Service Organization Control
(SOC) 1 reports
Authors: Orus Dearman, Director, Business
Advisory Services and Brett Williams, Partner,
Business Advisory Services
A user entity’s perspective
Until recently, the perception in
the marketplace was that a service
organization should provide a useful
report surrounding its controls to its
customers and customers’ auditors
through the issuance of a SAS 70 report.
Within the last year, the AICPA has
issued clarification to the marketplace
relating to the standards available to
service organizations under which a report
may be issued to customers and other
stakeholders. First, the AICPA issued
Statement on Standards for Attestation
Engagements (SSAE) No. 16 to replace
guidance within SAS 70 relating to service
auditor reports related to controls over
financial reporting. This standard became
effective for reports with a reporting
date ending after June 15, 2011. Further,
the AICPA clarified reporting options
available to service organizations to
communicate to their customers and
prospective customers certain operational
controls relating to the Trust Services
Principles. The communiques are in the
1
form of Service Organization ControlSM
(SOC) 2 or 3 reports. The three types
of SOC reports may be summarized as
follows:
• SOC 1SM (The subject of this guide)
addresses, consistent with SAS 70
reports, internal controls that are
relevant to a user entity’s internal
control over financial reporting.
• SOC 2SM addresses reports on
controls related to the joint AICPA
and Canadian Institute of Chartered
Accountants Trust Services
Principles and Criteria, which
include a description of the service
organization’s system, and for a Type
II report, a description of the tests of
controls and related test results by the
service auditor. These Trust Services
Principles include security, availability,
processing integrity, confidentiality
and privacy.
• SOC 3SM addresses applicable
Trust Services Principles (just as
with a SOC 2 report) but without
a lengthy description of the service
organization’s system, and for a Type
II report, without the detailed tests of
controls and related test results.1
Service Organization Control, SOC 1, SOC 2 and SOC 3 are proprietary service marks of the AICPA, which reserves all rights.
Understanding and deriving value
from a SOC 1 report
When it comes to understanding SOC
1 reports, the age-old maxim “There
are no dumb questions except those not
asked” has never been more applicable,
particularly in consideration of the new
standard. But finding the right balance
between asking too many questions and
not asking enough can be a challenge.
Either we ask too many uninformed
questions and subject ourselves to being
taken advantage of, or we do not ask
enough questions and run headfirst into
the proverbial brick wall, stand up, rub
our heads and say, “I meant to do that.”
By obtaining a basic level of understanding
of how to read a SOC 1 report, you can
place yourself in a situation where you ask
smart questions and can ultimately achieve
greater insight into your service provider’s
business.
SOC 1 reports, by design, are a means
of auditor-to-auditor communication,
but service organizations also use
them as service provider-to-customer
communication. The auditors of the
service organization’s customers may
use the report in planning their audit
as it pertains to their understanding
and evaluation of the design of internal
control over financial reporting. Service
organizations’ customers themselves may
use the report to help them understand
Guide to understanding Service Organization Control (SOC) 1 reports
the controls the service organization has
designed and implemented. They may
use it, as well, to design and implement
controls within their own environment
to complement the controls of their
service provider.
With this in mind, the ability to
identify the rudimentary truths and
effectively use the information contained
in a SOC 1 report becomes a requirement
for understanding its implications to a
user entity’s (customer’s) overall control
environment and control activities.
Nonauditors are often left wondering how
to discern this information in the midst of
all of the “auditorspeak” included within
these reports. Our objective with this guide
is to help you learn how to read a SOC 1
report and determine how it can help you
gain more knowledge and develop insight
into your service organization’s business.
Key definitions
•
•
•
•
•
Service organization or service provider: Organization providing the outsourced service
Subservice organization: Organization used by service organization to provide third-party services to
the service organization
Service auditor: Auditor performing a SOC 1 examination of the service organization’s controls
User entity: Organization receiving the outsourced service
User auditors: External auditors of the user entity
III. Description of the system, which is
provided by the service organization
to describe, among other things,
the services, the overall control
environment, and the control
objectives and controls related to the
system being examined
IV. Service organization control
objectives and related controls, and
the independent service auditor’s tests
of controls and results of tests (Type
II only)
V. Supplemental material provided by
the service organization
SOC 1 report basics
Similar to SAS 70 reports, SOC 1 reports
come in two forms: Type I and Type
II. While both reports cover the fair
presentation of the description of the
system and the suitability of the design
of the controls related to the control
objectives stated in the description, a
Type I report covers a point in time,
while a Type II report covers a period
of time. A Type II report also addresses
the operating effectiveness of controls
throughout the specified period. Most
service organizations request a Type II
report because it is most useful to their
user entities and auditors.
SOC 1 reports generally include the
following, which may be included in
different sections of the report:
I. The independent service auditor’s
report (the “opinion”)
II. Management’s written assertion,
which may also include a subservice
organization’s assertion
I. Independent service auditor’s report
(opinion)
The opinion section of the SOC 1 report
provides legitimacy to the overall SOC 1
report. This section describes the scope of
the examination and articulates the service
auditor’s opinion on the results. This
section provides a lot of information in a
small amount of space.
The first thing you need to determine
is whether the SOC 1 report addresses the
service organization’s activities that are
relevant to your organization. Typically,
the first paragraph of the service auditor’s
report explains, at a high level, the
scope of the examination. Pay particular
attention to whether the report excludes
certain locations, products and/or services
that might be of importance to your
organization. The full description of the
system is provided by management in a
separate section of the report.
Trends impacting use of SOC 1 reports
•
•
•
Increasing amount of outsourced activities
Growth of outsourced service providers
including the following:
– Payroll functions
– Accounting functions
– Third-party retirement plan administrators
– Third-party health care administrators
Increasing regulation, such as the
Sarbanes-Oxley Act of 2002, which includes
reporting on the effectiveness of internal
control over financial reporting
Second, the service auditor’s report
may not cover services provided by the
service organization’s own third-party
service providers (referred to as subservice
organizations). For example, a service
provider may outsource its data center
to a subservice organization. Frequently,
the scope of the report will not include,
as part of the examination, the relevant
description and controls at the subservice
organization. The service auditor’s report
states whether the controls at subservice
organizations are included (often referred
to as the inclusive method) or excluded
(often referred to as a carve-out) from
the examination. Below is an example of
carve-out language in an opinion:
“Example service organization uses ABC
Computer subservice organization to
perform aspects of its computer processing.
The description of the system in section
III of this report includes only the control
objectives and related controls of Example
service organization, and excludes the
control objectives and related controls at
ABC Computer subservice organization.
Our examination did not extend to
controls at ABC Computer subservice
organization.”
2
Guide to understanding Service Organization Control (SOC) 1 reports
If subservice organizations are excluded
from the examination, you need to assess
the risks posed to your organization
related to the services provided by these
subservice organizations. If you deem one
or more of these subservice organizations
important to your organization, you need
to determine how you are going to gain
comfort with that organization’s controls
in any of the following ways:
• Obtaining a separate SOC 1 report
from the subservice organization
• Conducting your own review of the
controls in place at the subservice
organization
• Requesting your service organization
expand the scope of its SOC 1
report to include the subservice
organization(s) in future reports
• Your external auditor may have to
conduct specific procedures related to
the controls in place at the subservice
organization(s)
Third, you need to determine whether
the SOC 1 report is a Type I or a Type II
report. The biggest difference between a
Type I and a Type II report is the opinion
on operating effectiveness. This opinion
is provided only for a Type II report.
Most service auditors will request a Type
II report because it covers controls that
were in place and operating for a period
of time. Because the Type II report covers
a period, it also includes a description of
significant changes to the system during
that period. The Type I report is as of a
specific date.
Key difference: Type I vs. Type II
•
A Type I report does not include testing or an
opinion related to the operating effectiveness
of controls over a specified period of time.
Example opinion language
1. “The description fairly presents the
system (e.g., the description of the
relevant controls of the Company)
that was designed and implemented
throughout the period January 1, 2011,
to December 31, 2011.” (Note: A Type
I report is for a point in time.)
2. “The controls related to the control
objectives stated in the description
were suitably designed to provide
reasonable assurance that the control
objectives would be achieved if
the controls operated effectively
throughout the period January 1, 2011,
to December 31, 2011.” (Note: A Type
I report is for a point in time.)
3. “The controls tested, which were
those necessary to provide reasonable
assurance that the control objectives
stated in the description were achieved,
operated effectively throughout the
period January 1, 2011, to December
31, 2011.” (Note: This opinion is
applicable only to a Type II report.)
If the above statement (3) is absent from
the report, you are reading a Type I
report; its value to your organization is
rather limited because it does not offer any
assurance that the controls were operating
effectively over a specified period of time.
Key questions to ask yourself
•
•
•
•
Scope: Does the report address the service organization’s activities relevant to your organization?
Subservice organizations: Does the report include or exclude the controls at important subservice
organizations?
Type I vs. Type II: Is the report a Type I or a Type II report?
Period: Does the period examined satisfy the requirements of your organization and your external auditor?
Fourth, you may also find modified
language within the service auditor’s
opinion that identifies exceptions to either
the design of controls, the presentation of
the system, or the operating effectiveness
of controls due to matters encountered
during the service auditor’s examination
and testing. Modifications to the standard
opinion language are indicative of issues
large enough that the service auditor
believes they may have a significant effect
on the reliance the user organization
and user auditor may place on the
related controls. However, despite the
inclusion of this language, a reader still
needs to review the entire report to
determine whether the matters identified
in the opinion and any other exceptions
identified in the service auditor’s
description of tests of controls and related
results affect your services. For example,
if the affected control objective is not
applicable to you, the user entity, either
because your organization does not use
that service or because you have other
controls in place at your organization
to mitigate the risk associated with that
exception, then you may not be negatively
impacted by the exception and the related
modification made to the opinion by the
service auditor.
We would also mention that the
“Information provided by the service
auditor” section of the report discloses any
exceptions to specific control activities,
even when such exceptions do not
result in the failure to achieve a specific
control objective. Such exceptions are not
always included in section I (the service
auditor’s opinion section) of the report.
However, because each user of the service
organization’s services may have slightly
different risks, or may rely upon the
service organization for different controls,
it is important to carefully review section
IV of the report, which details the service
3
Guide to understanding Service Organization Control (SOC) 1 reports
auditor’s testing of specific controls and
any exceptions noted. It may be that the
exceptions noted are more impactful to
one user entity than to another. So again,
you must understand what risks you need
to address in order to properly evaluate
the content of the SOC 1 report as it
applies to your organization.
II. Management’s assertion
For SOC 1 reports, management is now
required to include a written assertion
to accompany the service auditor’s
opinion. Management’s assertion may
be in a separate section of the report or
included in the section containing its
description of the system. If a subservice
organization is included within the scope
of the examination (inclusive method),
the subservice organization would also
provide a written assertion to be included
within the SOC 1 report. This essentially
means that the service auditor’s tests of
controls were extended to the subservice
organization.
Management’s written assertion
covers the following:
• The fair presentation of the
description of the system
• The suitability of the design of
controls and verification that they
were implemented as of a specific date
(Type I) or throughout the period
(Type II)
• The operating effectiveness of controls
throughout the period (Type II)
• The relevant changes to the system
throughout the period (Type II)
Management’s assertion is based on several
criteria that are outlined in SSAE 16.
Criteria are basically the standards and
benchmarks used to measure and evaluate
the service organization’s controls.
It is possible that due to issues
or exceptions that have come to
management’s attention, management’s
assertion letter is modified such that
“except for” or other exclusionary
language is added by management to the
letter. Further, it is possible that the service
organization may try to omit or clarify
certain criteria from the description criteria
outlined by the AICPA relative to the
services it provides. It is therefore critical
to read the management assertion letter
carefully and ensure that you understand
the description criteria that apply to the
service organization and that you are
aware of management’s opinion relative to
the scope of the SOC 1.
You should also be aware of controls
that management has included within its
system, and that support the achievement
of control objectives or description
criteria, that need to be performed by the
user entity. In some cases, management
of the service organization assumes that
certain controls will be implemented
by the user entity. These are commonly
referred to as complementary user
entity controls; they are described in the
description of the system. The control
objectives stated in the description can
be achieved only if these complementary
user entity controls are suitably designed
and operating effectively, along with
the controls at the service organization.
Key points related to the service auditor’s
report
•
•
•
•
Generally, controls must be in place for a
minimum of six months in order for the service
auditor to opine on operating effectiveness
(Type II).
Scope is defined by the service organization,
not the service auditor.
Control objectives and related controls are
defined by the service organization, not the
service auditor.
Generally, only exceptions that result in the
failure to achieve a control objective are
disclosed in the service auditor’s opinion/report.
The service auditor does not evaluate
the suitability of the design or operating
effectiveness of complementary user entity
controls, but management’s assertion
includes its assessment as to whether such
controls are needed.
III. Service organization’s description
of the system (written by service
organization management)
A SOC 1 report includes the service
organization’s description of the system.
Generally, this section should, at a
minimum, include a description of the
following:
• Services provided
• Description of the control
environment, risk assessment,
control activities, information and
communication, and monitoring
(e.g., the Committee of Sponsoring
Organizations of the Treadway
Commission elements)
• Procedures by which services are
provided, transactions are accounted
for and related accounting records
Key points related to management’s assertion
•
•
•
•
Management’s written assertion is now required, so you should expect to see it within the report.
If the inclusive method is used for a subservice organization, its written assertion should also be included
within the report.
Pay attention to management’s declarations, particularly when management indicates the system is fairly
presented, suitably designed or operating effectively “except for” certain matters.
Also consider the need to implement complementary user entity controls at your organization.
4
Guide to understanding Service Organization Control (SOC) 1 reports
• Capture and address of significant
events other than transactions
• Report preparation process
• Control objectives and related controls
• Complementary user entity controls
• Control activities and monitoring
controls
• Subservice organization controls
Key points related to management’s assertion
•
•
•
Key points related to complementary user entity controls
•
There should be sufficient information
provided so that the user entity can
understand how the service organization’s
processing relates to user entities’ financial
reporting. This section should also provide
a description of the IT environment,
including which systems are in use, and
the related IT general computer controls
(ITGC) and objectives. ITGCs should
include controls related to logical and
physical access, program change control,
operations and relevant application
controls. Contingency planning, such as
disaster recovery or business continuity
plans, should not be included within this
section because a “plan” or “forwardlooking statement” cannot be a control. If
a service organization chooses to include
this type of information, it would be
found in section V of the report under
supplemental material provided by the
service organization.
An important component of the
information provided by the service
organization is a section addressing
complementary user entity controls.
This section of the report should not
be overlooked. It describes the control
activities that the service organization
expects to be in place at the user entity
(your organization). These controls can
be critical to the design of the service
organization’s controls and the assessment
of the suitability of the design of controls
to achieve the stated control objectives.
Management’s description of controls may include control activities that are “out of scope” and not tested
by the service auditor.
Control objectives and related controls are defined by the service organization, not the service auditor.
Complementary user entity controls are identified by the service organization.
•
•
The user entity (your organization) is responsible for ensuring that complementary user entity controls are
in place and operating effectively.
The service auditor does not opine on the operating effectiveness of these controls.
You need to be sure that the service organization provides you with the necessary information, if under its
custody, for your organization to execute the stated controls.
The service auditor does not perform
test procedures to determine operating
effectiveness of the controls identified
as complementary user entity controls.
Rather, the user entity is responsible
for ensuring that the stated controls are
in place and operating effectively. You
also need to evaluate whether or not the
stated user entity controls apply to your
organization.
As an example, assume that a service
organization administers application
security access for your organization.
The service organization may include
the following control activity as a
“complementary user entity control”:
“The user entity will review logical security
access no less than quarterly and notify
the service organization of any additions,
deletions and/or changes to security access
that need to be made.”
support from the service organization.
For example, it may be the user entity’s
responsibility to obtain from the service
organization the necessary information to
conduct the stated review.
IV. Control objectives, control activities
and tests performed
Typically, the control objectives and
related control activities specified by the
service organization, the description of
control tests performed by the service
auditor, and results of those tests are
presented in a tabular format within a
separate section of the report. Before you
even begin to read this section, formulate
your own list of control objectives and
control activities you think are critical
to your internal controls. Then you can
perform a “gap analysis” by mapping
those control objectives and activities to
the SOC 1 report.
This complementary user entity control
is highlighting that it is the user entity’s
responsibility to ensure that a quarterly
access review is completed and includes
the attributes named. With that being
stated, it may not be possible for a user
entity to conduct this review without
5
Guide to understanding Service Organization Control (SOC) 1 reports
In accordance with professional
standards, a service organization should
not purposefully exclude from the
report control objectives and/or control
activities they know are relevant to a
user organization’s internal control
over financial reporting. Unfortunately,
this situation sometimes occurs. In
our experience, the following list
represents some of the situations we
have encountered wherein a service
organization has requested the removal
of a control objective or control. Some of
these are legitimate, while others are not:
• The controls may not be implemented
or operating effectively to achieve
the related control objective. (Not an
appropriate reason under SSAE 16
unless disclosed in the service auditor’s
opinion and management’s assertion)
• A control objective and related
controls may be specific to only one
(or a few) of the service organization’s
clients (customers), and the service
organization wants the SOC 1 report
to apply to the majority of its clients
(customers). (Normally considered an
appropriate reason under SSAE 16)
• A control objective and related
controls may not be operating at
the service organization because the
related activities are outsourced to a
subservice organization. (Normally
considered an appropriate reason
under SSAE 16 as long as appropriate
disclosures are included within the
report)
• A control objective and related
controls may be totally dependent
upon the user entity (your
organization). (Normally considered
an appropriate reason under SSAE 16)
• A control objective and related
controls may be too costly to include.
(Not an appropriate reason under
SSAE 16 unless disclosed in the service
auditor’s opinion and management’s
assertion)
As you review a SOC 1 report, be sure
that the control objectives and control
activities included address risks that are
important to your organization and
are adequately addressed by the SOC 1
report. If not, consider the completion of
additional procedures, including a visit to
the service organization to conduct your
own evaluation of the gaps, or engagement
of a public accounting firm to conduct an
“agreed-upon procedures” engagement to
test the controls you believe are relevant
but were excluded from the SOC 1 report.
Also, you should read the control
objectives and control activities carefully
and against the backdrop of your
relationship with the organization. Even
if a control objective was achieved and no
exceptions were noted by the independent
auditor, you still maintain responsibility
for comparing the work performed
against your expectations. You need to
be sure the control objectives and control
activities seem suitable or adequate to your
organization’s needs. Control objectives
and related controls may be written so
narrowly that your expected control is not
really addressed in the SOC 1 report.
For example, you may find a control
such as the following: “Logical access
granted to employees of the service
organization is approved by the supervisor
of computer operations.” Further, you
see that the independent auditor tested the
control and reported no exceptions.
However, note that the control activity,
as stated, addresses only access granted to
“employees of the service organization.”
What about controls related to access
granted to “non-employees” (e.g.,
contractors, subservice organizations,
temporary staff and employees of the
clients/customers)? Also, are you satisfied
that the individual (i.e., supervisor
of computer operations) authorized
to approve logical access to your
environment is appropriate?
When reading the description of
tests performed by the service auditor,
be sure that you are comfortable with
the testing that was performed. Typical
methodologies applied to testing are:
• inquiry,
• inspection,
• observation, and/or
• re-performance.
Be sure that the applied testing
methodology is appropriate for the stated
control. Pay special attention to tests
where inquiry was the only test procedure
performed. Typically, inquiry should not
be the only method applied to testing
controls. This is especially true when the
auditor’s report covers a period of time.
Ideally, controls tested via inquiry should
also be tested via at least one other testing
method (e.g., inspection, observation
and/or re-performance).
Key points related to control objectives, control activities and tests
•
•
•
Control objectives and control activities are specified by the service organization, not the service auditor.
You should determine the types of control objectives and related control activities that are relevant to your
organization to identify any “gaps” between your needs and the SOC 1 report.
Evaluate and discuss “gaps” with the service organization, and take appropriate action to gain comfort that
the controls at the service organization are adequate.
6
Guide to understanding Service Organization Control (SOC) 1 reports
When reviewing the results of the service
auditor’s tests, it may be important to
perform a self-assessment of the test
results. For example, as you review
the test results relating to a particular
control and note an exception, look for
the service auditor’s comments relating
to that exception, and then apply your
own experience and knowledge. And do
not forget that a service organization can
fulfill the requirements for and receive
an “unqualified opinion” (all control
objectives were achieved) even though
the service auditor identified exceptions
during the test of controls. You may
want to discuss the exception(s) with the
service organization and/or consider the
effectiveness of any mitigating controls
that may or may not be a part of the
SOC 1 report.
Finally, management is normally
requested to respond to each exception
noted in the SOC 1 report. You should
read management’s responses and decide if
you are satisfied with its response. Ideally,
management’s response will include a
remediation plan. The service auditor
renders no opinion on management’s
response.
V. Supplemental information from the
service organization
Contact information
Orus Dearman
A separate section of the report may
include additional information that the
service organization wants to disclose
but that is not subject to the procedures
performed by the service auditor. Items
such as a disaster recovery plan, a business
continuity plan or a strategic plan may be
included within this section. It is important
to note that the service auditor does not
express an opinion or provide any assurance
on such additional information.
Director, Business Advisory Services
T 703.637.4133
E [email protected]
Brett Williams
Partner, Business Advisory Services
T 404.475.0015
E [email protected]
Conclusion
The author Henry David Thoreau
pointed out, “It takes two to speak the
truth — one to speak and the other to
hear.” By taking the time to read and
understand the information provided in
a SOC 1 report, you will have the ability
to obtain incredible insight into your
service provider’s internal controls. Use
this guide to empower yourself to find
the information and answers you need
to make sound decisions, and actively
participate in protecting your organization
when dealing with outsourced service
providers.
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries.
Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms
are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at www.GrantThornton.com.
Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information on the issues discussed, consult a Grant Thornton
client service partner.
© Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd
7
