This article was written by Jennifer Hayes, CPA, Manager at The Bonadio Group
Many of you find benefits in using service organizations for services such as credit card processing, payroll processing, investment management, and retirement plan services. System and Organization Controls (SOC) reports are examination reports over internal controls that are useful for evaluating the effectiveness of controls related to the services performed by a service organization. There are a variety of SOC reports available to service organizations which include, but are not limited to:
- SOC 1® — SOC for Service Organizations: Internal Control over Financial Reporting (ICFR)
- SOC 2® — SOC for Service Organizations: Trust Services Criteria
Auditors are required to understand internal controls at service organizations that assist organizations in recording, processing, summarizing, or reporting information.
Many organizations use a service organization to process payroll, which we typically see as one of the largest expenses for organizations. The user organization will use the service organization’s payroll reports to record those transactions into their accounting systems. Therefore, the auditor will request a SOC 1 report for the payroll service organization to understand if there are any significant issues with the service organization’s controls that would need to be considered during the financial statement audit.
One thing to note in a SOC 1 report is that those reports will list complementary user controls which are controls the user organization should have in place to ensure the controls operate effectively. As auditors, we consider whether the user organization has implemented these controls over the service organization activities that effectively operate to prevent or detect material misstatements.
SOC 2 examination reports provide user organizations with information about the service providers system controls relevant to security, availability, processing integrity, confidentiality, or privacy as set forth in the AICPA’s trust services criteria.
Over the last few years, we’ve seen tremendous increases in cybersecurity breaches at many different organizations regardless of size. I’m sure we all know of an organization or person who has been impacted. The use of these reports is one way to understand what controls the service organization has over the security of the data and if those controls are operating effectively.
These SOC reports are tools that management and board members should consider when selecting a service organization to process transactions or handle their data to assess and manage those risks that come with using a third party. The reports should also be reviewed on an annual basis. Ultimately, if there is an issue, there is the potential the organization could be liable based on applicable laws and regulations.
If you need further guidance or have any questions on this topic, we’re here to help. Please do not hesitate to reach out to our trusted experts to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.