- Contact Us
This is a guest post that was written by April Arruda, CPA from DiSanto, Priest, & Co. in Warwick, RI. DiSanto, Priest, & Co. is a professional advisory firm that has been in business for over 50 years providing a range of services to their clients. These services include Accounting and Assurance, Tax Planning and Compliance, Management Consulting, and Business Advisory services. For more information, please visit the DiSanto, Priest, & Co. website at http://www.disantopriest.com or by calling them at (401) 921-2000.
Over the past year, we have written several blog posts about the types of Service Organization Controls (SOC) reports and how obtaining such a report can benefit you or your organization. Although we have covered topics explaining the contents of the reports, such as the differences between a Type I and Type II report and the Five Trust Services Principles specific to a SOC 2 or SOC 3 report, we have not yet discussed the process for creating a SOC report and the documentation that a service organization needs to have in place in order for an auditor to issue an opinion.
Let’s start by briefly outlining the sections of a SOC report. A SOC report can have up to five sections, as follows:
Section 1 – Independent service auditors’ report
Section 2 – Management’s assertion regarding the effectiveness of its controls
Section 3 – Management’s description of its system and controls
Section 4 – Applicable trust services principles’ criteria and control activities
Section 5 – Other information provided
To simplify these sections, let’s think of a SOC report as the nutrition label for your service organization. And let’s, for the interest of this analogy, think of your business as a box of cereal; we’ll call it Control Flakes. Better yet, Control Flakes is organic! Obviously, with the modern trend of “clean eating”, management of your cereal wants to let its customers and potential customers know that it is organically made.
This brings us to the SOC Report; we’ll start by skipping to Section 2. In this section management is going to make the assertion that Control Flakes is truthfully organic. Comparatively, this is the section where management of a service organization is going to assert that the description of their services system (which is covered in Section 3) is complete and accurate. In this section, management will briefly list the contents that will be covered in the description, i.e. the types of services provided, the components of the system, how the system captures and processes significant events, any applicable trust services criteria, and etc., as well as make the statement that the controls described are suitably designed and are operating effectively.
However, management cannot simply start declaring that Control Flakes is organic without first obtaining certification from the United States Department of Agriculture (USDA). This brings us back to Section 1, the independent service auditors’ report. In order to issue a SOC report, a certified public accountant (CPA) must audit the system description in the Section 3. The CPA will then issue a letter to management stating the scope of their work and stating their opinion on whether the system description is complete and accurate, as well as whether the controls are suitably designed to meet the stated objectives, and, in the case of a Type II report, whether the controls are operating effectively. This letter, which comprises Section 1, tells the reader of the SOC report that not only is management stating that the description is true, but a third party, independent auditor has also tested the information and has issued their opinion on whether management is providing accurate information. Similarly, when a consumer notices the USDA certified label on a box of Control Flakes, they trust that the cereal is in fact organic.
In the past two paragraphs, we have made a couple references to Section 3, management’s description of the system and its controls. Think of the Section 3 as the real substance of your SOC Report; it is the ingredients listing of your business. In the case of Controls Flakes, the ingredients listing will spell out all of the organic ingredients that go into making the box of cereal and prove to the consumer that it is a healthy option. Comparatively, this is the section where management describes the services system and the controls in place over the system; and ultimately this is the section in which the auditor will test and provide an opinion. In this section, management should describe in detail the types of services provided, the components of the system, the boundaries of the system, the system controls, and all those other topics that were briefly listed in Section 2.
The next section, Section 4 is only applicable to SOC 2 reports. This section covers the applicable trust services principles and all of the controls that management has in place to meet each one of those principles. Think of this section as your nutrition facts. Each trust services principle is like a vitamin or mineral, and the more controls you have in place to meet a particular principle, the higher the nutritional value. In this section, management should list out each of the trust services principles, the applicable criteria, a description of each control that meets the criteria, and, for a Type II report, a description of the auditor’s test over each control and the results of that test.
Lastly, we come to Section 5, which is other information not covered by the auditor’s report. This section is available for any additional information that you would like to provide to the users of the SOC report concerning your services system. In the case of Control Flakes, you may want to tell consumers that your cereal can help lower their cholesterol, or maybe the cereal has plans to go gluten free. Similarly, in the Section 5, management can discuss items such as a strategic plan or a business continuity plan, or any other items that they feel would be beneficial for the report users.
All sections listed above apart from the independent service auditors report (Section 2), are the responsibility of management of the service organization (with the possibility of assistance from a third party). It is important to be as detailed as possible when creating your SOC report in order to explain the services system and the controls over that system in way that is helpful to the report users, and supportive in trying to reach a favorable audit opinion.