SOC Examinations (SOC 1, 2 & 3)

Service Organization Control (SOC 1, SOC 2, OR SOC 3) Reports are specialized reports on the design and operating effectiveness of a service organization’s system of internal control. The primary importance of these examinations is the independent assessment of the outsourced service provider’s system of control. These examinations have grown in usage significantly over the last 10 years, due in part to the Sarbanes-Oxley Act of 2002 and the increase in regulation around the Financial Sector related to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. This is a core service offering of Morice & Layton.

Common Service Providers include:

  • Payroll Processors
  • Loan Servicers
  • Asset Managers
  • Real Estate Property Managers/Servicers
  • Software and Network Hosting Providers
  • Billing and Payment Processors
  • Title and Escrow/Real Estate Settlement Providers

Depending on the need, including the distribution requirements and the control objectives and the type of controls, a service organization can choose from one of three reporting options available, known as SOC 1, SOC 2 or SOC 3.

SOC 1 (Previously known as SAS 70)

Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting – These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions.

These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of complying with laws and regulations such as the Sarbanes-Oxley Act and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements.

There are two types of reports for these engagements:

Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

SOC 2

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

These reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy.

These reports are performed using the AICPA Guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of stakeholders:

  • Oversight of the organization
  • Vendor management program
  • Internal corporate governance and risk management processes
  • Regulatory oversight

Similar to a SOC 1, there are two types of reports : Type 2, report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and Type 1, report on management’s description of a service organization’s system and the suitability of the design of controls. These reports may be restricted in use.

The use of these reports is restricted to the management of the service organization, user entities of the service organization and user auditors.

SOC 3

Trust Services Report for Service Organizations

These reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. These reports are prepared using the AICPA/Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Because they are general use reports, SOC 3 Reports can be freely distributed or posted on a website as a seal. For more information about the SysTrust for Service Organization seal program go to www.webtrust.org.

Download SOC Reports 2012