Service Organization Control (SOC) Reports and Their Usefulness

Introduction

With most organizations accumulating big databases, managers are aware of susceptibility to data breaches. Accordingly, organizations and auditors may require proof that a third-party cloud service company is taking reasonable precautions to protect their data and information. Even if a cloud service processor does not handle financial data but hosts various other types of transactions and processes, a Service and Organization Control (SOC) report may mitigate the risk and impact of a data breach (Shedari, 2013).

The triple interaction framework of internal controls refers to a set of interactions between a service organization, client, and CPA firm, to foster confidence in the internal controls of the service organization. As the knowledge economy expands, more organizations will outsource to cloud-based service providers. This requires an audit of the service organization’s internal control to reduce the probability of material errors and fraud. In the triple interaction model of internal controls, each organization is represented by a rectangle, with arrows showing interactions between the three agents. The client in Figure 1 is receiving payroll (PR) services from the service organization. Accordingly, the client’s CPA must audit the internal controls over PR at the service organization to be able to complete the client’s audit.

Figure 1.

Triple interaction framework related to SOC reports

SOC reports are relatively new, having started in 2011. They were created by the American Institute of Certified Public Accountants (AICPA). SOC reports can only be issued by a CPA (Certified Public Accounting) firm as the reports are the result of an attestation engagement. An attestation engagement is an examination performed by an independent CPA who checks the system to see if it conforms to industry standards. In addition, similar to auditing, CPA firms that provide SOC reports must commit to a peer review process (Maloney + Novotny, 2020).

A SOC report (not to be confused with the acronym for security operations center) is a way to verify that a third-party processor, such as a cloud service, is following best or reasonable practices before outsourcing a business function to that third party. SOC reports enable managers and auditors to feel confident that service providers are operating with proper security and internal controls (ICs). Also, auditors will refer to these reports when analyzing the internal control design and operation during an audit of a company that uses a third-party processor for some of their business functions.

A third-party processor should pursue SOC reports if the services impact a client’s financial or operational reporting. For example, if a cloud service hosts software and databases that process clients’ accounts receivable, billing, and collections data, this affects the client’s cash and accounts receivable on the balance sheet (financial reporting). Accordingly, a SOC report is appropriate. Another reason why outside processors pursue SOC reports is if their clients or auditors ask for a “right to audit.” Without SOC reporting, this could be a costly and time-intensive process, especially if several clients submit similar requests related to internal controls and cybersecurity (ISACA, 2011). The objective of this chapter is to review SOC reports and the issues related to their completion such as internal controls, types of SOC reports, and audit procedures.