Providing guidance on service organization control services

Companies today are increasingly using external service providers (service organizations) to perform key business functions. As a result, there is greater need for transparency in the service organization’s operations and internal controls. Warren Averett’s Service Organization Control reports are tailored to ensure external service providers receive the highest level of assurance over the effectiveness of their internal controls. We work with service providers to understand the requirements of their stakeholders and customers to determine the right solution to meet their needs.

The American Institute of Certified Public Accountants (AICPA) has identified three distinct categories of Service Organization Control examinations:  SOC 1, SOC 2, and SOC 3 reports. Below is an overview of each category:

SOC 1 Examinations (SSAE 16)

SOC 1 examinations focus solely on a service organization’s controls that are likely to be relevant to their customer’s internal controls over financial reporting.  Common examples of service organizations that would be candidates for an SOC 1 include trust departments, payroll processors, retirement recordkeeping services, actuary services, and many others that provide outsourced services for which the controls are relevant to the user’s internal controls related to financial reporting.

SOC 2 Examinations

Instead of focusing on financial reporting, SOC 2 examinations follow Trust Service Principles and criteria established by the AICPA, which includes security, confidentiality, processing integrity, availability, or privacy.  SOC 2 reports are required to cover at least one of these Trust Service Principles.

SOC 3 Examinations

Similar to an SOC 2 report, the SOC 3 report addresses one or more of the AICPA Trust Service Principles and criteria related to security, confidentiality, processing integrity, availability, or privacy.  A SOC 3 is primarily performed for e-commerce service organizations, such as online retailers, who perform transaction processing over the Internet.  The report is a general-use report that usually includes a public seal over the website or software.

Types of Service Organization Control Reports

In addition to the three categories of Service Organization Control reports above, there are two types of each report:

  • Type I – Type I reports describe the service organization’s description of controls at a specific point in time.  It does not include any tests of operating effectiveness, which makes it a limited-use report.  They are most commonly used as a first year SOC report.
  • Type II – Type II SOC reports not only include the service organization’s description of controls, but they also include tests of operating effectiveness.  These reports generally cover a minimum of a six month period (although most are annual reports).  The Type II offers the highest form of assurance of the SOC reports.

Readiness Assessments

Since it is not in the best interest of our clients to have a service organization control examination performed prematurely, we offer Readiness Assessments that assist management in assessing their company’s readiness for an SOC examination.