ISC — Information Systems & Controls (Discipline)·Soc Engagements

Section: SOC Engagements

Estimated study time: 40 minutes

Content:

SOC (System and Organization Controls) reports are attestation engagements performed under SSAE 18 (AT-C Section 205/320) by a service organization's CPA firm. They provide assurance to user entities and their auditors about controls at the service organization.

SOC 1 reports address controls relevant to user entity financial reporting (Internal Control over Financial Reporting — ICFR). Used when the service organization processes transactions that directly affect the user entity's financial statements (e.g., payroll processors, loan servicers). SOC 1 Type I: management's description of the system and auditor's opinion on whether the description fairly presents the system and whether controls are suitably designed (as of a point in time). SOC 1 Type II: Type I + opinion on operating effectiveness of controls over a specified period (minimum 6 months; typical 12 months).

SOC 2 reports address the Trust Services Criteria (TSC): Security (required), Availability, Processing Integrity, Confidentiality, Privacy (optional — included based on commitments to user entities). SOC 2 is restricted to stakeholders with a need-to-know (service organization, user entities, regulators). SOC 2 Type I vs. Type II same distinction as SOC 1. SOC 3 uses the same Trust Services Criteria as SOC 2 but is a general use report (publicly available); provides less detail.

Trust Services Criteria (AICPA): Security criterion CC6 covers logical and physical access controls. CC7 covers system operations, including monitoring and incident response. CC9 covers risk mitigation, including vendor management. Availability criteria address system uptime and performance. Processing Integrity criteria address completeness, validity, accuracy, timeliness, and authorization of system processing.

Subservice organizations: If the service organization uses a subservice organization whose services are relevant to user entity ICFR or TSC, the service organization may use either: Carve-out method (excludes subservice org's controls from description and examination; user entity must separately assess); Inclusive method (includes subservice org's controls in description; auditor must test those controls or rely on subservice org's own SOC report). A subservice organization that is carved out should have its own SOC report available for user entities.

Complementary User Entity Controls (CUECs): Controls that user entities must implement for the service organization's controls to achieve their objectives. Service organizations document CUECs in the system description; user entity auditors must verify CUECs are in place.

Key Terms:

  • SOC 1: Internal controls over financial reporting at a service organization; restricted use
  • SOC 2: Controls over security, availability, processing integrity, confidentiality, and/or privacy; restricted use
  • SOC 3: Same subject matter as SOC 2 but general use (publicly available, no detailed control descriptions)
  • Type I: Opinion on design of controls as of a point in time (not operating effectiveness)
  • Type II: Opinion on design AND operating effectiveness of controls over a minimum 6-month period
  • CUECs: Complementary user entity controls; controls the user entity must implement for the service org's system to achieve its objectives
  • Carve-Out Method: Excludes subservice organization's controls from scope; user entity must separately assess subservice org

---