SOC Reports Flashcards
What is the Purpose of a SOC Report?
In general, the purpose of a SOC report (SOC 1 or SOC 2), is to provide the user entities of a service organization with information regarding the systems and internal control environment at the organization and if the controls in place, relevant to user entities, are designed and operating effectively.
SOC 1
focuses on the controls at a subservice organization that impact a user entity’s internal control over financial reporting
An example subservice organization that would have a SOC 1 report is
a payroll processing company. The controls a payroll processing company has in place to process their user entity’s payroll will impact the user entity’s internal controls over financial reporting. The payroll processing company’s SOC 1 report would most likely include control objectives related to their payroll processing system and general information technology processes.
A SOC 2 report focuses on
non-financial controls, specifically on controls relevant to the TSCs
There are five TSCs that can be included in a SOC 2 report:
Security, Availability, Confidentiality, Processing Integrity, and Privacy.
There are five TSCs that can be included in a SOC 2 report:
Security, Availability, Confidentiality, Processing Integrity, and Privacy.
Why Do We Review SOC Reports?
SOC reports can be reviewed for many reasons but many user entities request SOC reports from their subservice organizations to use in support of their financial statement audit, especially SOC 1 reports. User entities typically provide SOC reports to their external and internal auditors in order for them to determine whether controls in place at the service organization were designed and operating effectively and if there were any issues that could have impacted the user entity’s systems or control environment. Typically, external or internal auditors will use a SOC report review checklist to highlight the key information presented in the report and to determine how the user entity’s environment is impacted by the results of the audit.
SOC reports can also be reviewed by the user entity themselves to determine whether the service organization is meeting service commitments and requirements. In many cases, user entities are unsure of how to review a SOC report as they do not have a SOC review checklist or the background that their internal and external auditors have. In the remainder of this post, we will cover critical areas for review in a SOC report if you are performing one and are unsure of what you should be looking for
What Should I Look For When Reviewing a SOC (SOC 1 or SOC 2) Report?
If you are a user entity trying to review a SOC report and don’t have a SOC review checklist or the help of internal/external auditors, the following are suggestions for reviewing SOC 1 (f. SSAE 16) and SOC 2 reports:
Report Scope: Many service organizations issue multiple SOC 1 and SOC 2 reports for the various products and services they offer. Review the title and system description to determine whether the report is in support of the product your organization is using.
Report Period: More than a few service organizations try to pass off old reports as current reports. Make sure you are provided with the current SOC report. Additionally, make sure the time period covered by the report meets your needs. Does the testing performed cover the design and operating effectiveness of the controls over a period of time (Type II) or a point in time (Type I)? If the report timing doesn’t provide you with the coverage you require, ask the service organization about it. They may be able to provide you with a bridge letter to cover a portion of your period that isn’t included in the report.
Service Auditor: The name of the service auditor issuing the SOC report is typically located in Section I of the report. Do some research on the service auditor issuing the report and determine whether they are a reputable CPA firm. Good resources to review are the AICPA’s website, where peer review reports can be found, and the website of the state accountancy board, such as the Colorado Department of Regulatory Agencies – DORA. If you don’t find any information on the service auditor after performing a search on these or related sites, discuss your concerns with the service organization.
Auditor Opinion: In the first section of the report, the opinion of the service auditor can be found. There are four types of audit opinions that could be used in a SOC report. The opinion will outline the scope of the report and whether the report has a qualified, unqualified, adverse, or disclaimer of opinion. If the report has a disclaimer of opinion, adverse opinion, or qualified opinion, your organization will need to evaluate how this impacts your reliance on the report and the services provided to you by the service organization.
Management’s Assertion: Management is required to include their written assertion in the report stating the report’s accuracy. In some instances SOC reports are being issued without a management assertion or the content of the management assertion differs from the auditor’s opinion. If it’s missing or opinions differ, a conversation with the service organization is warranted.
Location: Service Organizations often have multiple locations, which is to be expected in the global economy. Make sure the report and audit testing covers the locations in which the service organization is performing services for your company. The locations covered can often be found in the system description of the report, if it is not obvious, ask the service organization to clarify.
Processes, People, & Systems: The processes, as well as the people and systems that support the processes, should be adequately described in the report. Make sure there is sufficient detail so you can understand what the service organization is doing and what they are not doing. If a key process (eg, information security) is not described in the report, ask the service organization about it.
Subservice Organizations: In some instances, a service organization relies on a subservice organization to provide a portion of its services to the user entity. If a subservice organization is being used, determine whether the carve-out method or inclusive method is being used. If the carve-out method is being used, the services provided by the subservice organization and the related controls over the services provided are not included in the scope of the SOC report. If this is the case, you may need to request a SOC report from the subservice organization if the services they provide are material to your evaluation of the control environment. If the inclusive method is being used, the services provided and the controls at the subservice organization level are included in the scope of the SOC report. If any questions arise regarding the subservice organization, the services they provide, and what is being covered in the report, clarify with the service organization.
Complementary User Entity Controls (CUECs): Complementary user entity controls (CUECs) are controls the service organization is not responsible for, that the user entity should have in place when utilizing the system or services provided. When reviewing a SOC report, the organization needs to review the CUECs to determine whether the controls listed are relevant to them and if so, if they have the controls listed in place and operating effectively. Most SOC reports have CUECs listed within them.
Testing Procedures and Results: Based on whether the SOC report you are reviewing is a Type I or Type II report, you will need to review the extent of testing performed and determine if it is sufficient to meet your organization’s needs. The controls tested, the description of the testing performed and the results of the testing can generally be found in Section IV of the report. Review any findings/issues identified, including how they were mitigated and/or remediated, and determine how they impact your organization. It is common for SOC reports to have findings, so don’t panic if the one you are reviewing does. What is important is to determine if the findings impact the services provided to your organization or your organization’s control environment.
What are the Four Types of Audit Opinions?
The four types of opinions SOC reports can be issued with are; unqualified, qualified, disclaimer, and adverse opinions.
What is an Unqualified Audit Report?
What does it mean when your SOC report has an unqualified opinion? An unqualified opinion indicates that the controls tested as part of the report appear to be designed (Type I) and operating (Type II) effectively. An unqualified opinion doesn’t mean there were no issues/exceptions identified by the service auditor. An unqualified report can have issues identified by the service auditor in the testing they performed. If issues were identified but the report was unqualified, then the service organization and their auditors were able to mitigate and/or remediate the risks presented by the issues and the control was deemed effective despite these issues.
By issuing an unqualified report with issues, the service auditor did not believe that the issues identified resulted in a material weakness in the control environment. The user of the report will still want to understand the issues identified, but with an unqualified report opinion, the service auditor’s opinion is that the user of the report can place reliance on the service organization’s system.
What is a Qualified Audit Opinion?
If a SOC report is issued with a qualified opinion, it indicates that a control or controls were not designed (Type I) and operating effectively (Type II). A qualified report indicates that issues identified in the report were significant enough to deem one or more controls ineffective. Qualified report opinions are actually quite common and they are not considered as severe as an adverse or disclaimer opinion.
What does it mean for the user obtaining a qualified SOC report from their service provider? A qualified SOC report does not mean that you can not rely on the report at all. The control objectives in the report that are designed and/or operating effectively can still be relied upon in most cases. It is the control(s) with deficiencies that will need further work on the part of the user.
For financial statement purposes, a client’s external auditor may be able to perform additional testing on secondary controls at the user level to mitigate the risk presented by the ineffective control(s) in the SOC report. It will depend on the user of the report to examine the services rendered by the organization and the controls they have in place at their organization to determine how much, if any, reliance will be placed on a qualified report.
What is the Difference Between a Qualified and Unqualified Audit Report?
As stated above, if a SOC report is issued with a qualified opinion, it indicates that a control or controls were not designed (Type I) and operating effectively (Type II). An unqualified opinion indicates that the controls tested as part of the report appear to be designed (Type I) and operating (Type II) effectively.
Both reports can have issues/exceptions identified by the service auditor but the key difference is that in an unqualified report, the controls were still deemed effective despite any issues that may have been identified. Whereas, with an unqualified report, a control or controls were found to not be either designed and/or operating effectively. For the user of the report, a qualified audit report will mean more work for them in order to determine how the control deficiencies impact their control environment and how to mitigate the risk of these controls not being designed or operating effectively.
Many times we get the question, “how bad is a qualified report?” and the answer is always, it depends. It depends on the controls in question that failed and how those control failures impact the users of the report. In many cases, users of the service organization have compensating controls in place that can help mitigate the risk presented by the failure of the controls at the service organization. Other times, additional audit procedures can be performed by the user entity to determine if the controls that failed impacted their control environment or financial statements and to what extent.
How is a Going Concern Opinion Different From a Qualified Report?
A going concern opinion often means the organization is in financial peril and may meet its demise very soon. However, a qualified opinion on a service auditor’s report is more akin to a material internal control weakness disclosure for SEC registrants who have to issue such disclosures for Sarbanes-Oxley Act purposes. A qualified opinion in a service auditor’s report could be described as similar to a significant deficiency or material weakness in internal control disclosure.
All should be avoided by management. Though the going concern opinion is the worst of the opinions just described