Guide to understanding Service Organization Control (SOC) 1 reportsAuthors: Orus Dearman, Director, Business Advisory Services and Brett Williams, Partner, Business Advisory Services

A user entitys perspectiveUntil recently, the perception in the marketplace was that a service organization should provide a useful report surrounding its controls to its customers and customers auditors through the issuance of a SAS 70 report. Within the last year, the AICPA has issued clarification to the marketplace relating to the standards available to service organizations under which a report may be issued to customers and other stakeholders. First, the AICPA issued Statement on Standards for Attestation Engagements (SSAE) No. 16 to replace guidance within SAS 70 relating to service auditor reports related to controls over financial reporting. This standard became effective for reports with a reporting date ending after June 15, 2011. Further, the AICPA clarified reporting options available to service organizations to communicate to their customers and prospective customers certain operational controls relating to the Trust Services Principles. The communiques are in the

form of Service Organization ControlSM (SOC) 2 or 3 reports. The three types of SOC reports may be summarized as follows: SOC1SM (The subject of this guide)

addresses, consistent with SAS 70 reports, internal controls that are relevant to a user entitys internal control over financial reporting.

SOC2SM addresses reports on controls related to the joint AICPA and Canadian Institute of Chartered Accountants Trust Services Principles and Criteria, which include a description of the service organizations system, and for a Type II report, a description of the tests of controls and related test results by the service auditor. These Trust Services Principles include security, availability, processing integrity, confidentiality and privacy.

SOC3SM addresses applicable Trust Services Principles (just as with a SOC 2 report) but without a lengthy description of the service organizations system, and for a Type II report, without the detailed tests of controls and related test results.1

Understanding and deriving value from a SOC 1 reportWhen it comes to understanding SOC 1 reports, the age-old maxim There are no dumb questions except those not asked has never been more applicable, particularly in consideration of the new standard. But finding the right balance between asking too many questions and not asking enough can be a challenge. Either we ask too many uninformed questions and subject ourselves to being taken advantage of, or we do not ask enough questions and run headfirst into the proverbial brick wall, stand up, rub our heads and say, I meant to do that. By obtaining a basic level of understanding of how to read a SOC 1 report, you can place yourself in a situation where you ask smart questions and can ultimately achieve greater insight into your service providers business. SOC 1 reports, by design, are a means of auditor-to-auditor communication, but service organizations also use them as service provider-to-customer communication. The auditors of the service organizations customers may use the report in planning their audit as it pertains to their understanding and evaluation of the design of internal control over financial reporting. Service organizations customers themselves may use the report to help them understand

1 Service Organization Control, SOC 1, SOC 2 and SOC 3 are proprietary service marks of the AICPA, which reserves all rights.

the controls the service organization has designed and implemented. They may use it, as well, to design and implement controls within their own environment to complement the controls of their service provider.

With this in mind, the ability to identify the rudimentary truths and effectively use the information contained in a SOC 1 report becomes a requirement for understanding its implications to a user entitys (customers) overall control environment and control activities. Nonauditors are often left wondering how to discern this information in the midst of all of the auditorspeak included within these reports. Our objective with this guide is to help you learn how to read a SOC 1 report and determine how it can help you gain more knowledge and develop insight into your service organizations business.

SOC 1 report basicsSimilar to SAS 70 reports, SOC 1 reports come in two forms: Type I and Type II. While both reports cover the fair presentation of the description of the system and the suitability of the design of the controls related to the control objectives stated in the description, a Type I report covers a point in time, while a Type II report covers a period of time. A Type II report also addresses the operating effectiveness of controls throughout the specified period. Most service organizations request a Type II report because it is most useful to their user entities and auditors.

SOC 1 reports generally include the following, which may be included in different sections of the report:I. The independent service auditors

report (the opinion)II. Managements written assertion,

which may also include a subservice organizations assertion

III. Description of the system, which is provided by the service organization to describe, among other things, the services, the overall control environment, and the control objectives and controls related to the system being examined

IV. Service organization control objectives and related controls, and the independent service auditors tests of controls and results of tests (Type II only)

V. Supplemental material provided by the service organization

I. Independent service auditors report (opinion)The opinion section of the SOC 1 report provides legitimacy to the overall SOC 1 report. This section describes the scope of the examination and articulates the service auditors opinion on the results. This section provides a lot of information in a small amount of space.

The first thing you need to determine is whether the SOC 1 report addresses the service organizations activities that are relevant to your organization. Typically, the first paragraph of the service auditors report explains, at a high level, the scope of the examination. Pay particular attention to whether the report excludes certain locations, products and/or services that might be of importance to your organization. The full description of the system is provided by management in a separate section of the report.

Key definitions

Service organization or service provider: Organization providing the outsourced service Subservice organization: Organization used by service organization to provide third-party services to

the service organization Service auditor: Auditor performing a SOC 1 examination of the service organizations controls User entity: Organization receiving the outsourced service User auditors: External auditors of the user entity

Trends impacting use of SOC 1 reports

Increasingamountofoutsourcedactivities Growthofoutsourcedserviceproviders

including the following: Payroll functions Accounting functions Third-party retirement plan administrators Third-party health care administrators Increasingregulation,suchasthe Sarbanes-Oxley Act of 2002, which includes

reporting on the effectiveness of internal control over financial reporting

Guide to understanding Service Organization Control (SOC) 1 reports

Second, the service auditors report may not cover services provided by the service organizations own third-party service providers (referred to as subservice organizations). For example, a service provider may outsource its data center to a subservice organization. Frequently, the scope of the report will not include, as part of the examination, the relevant description and controls at the subservice organization. The service auditors report states whether the controls at subservice organizations are included (often referred to as the inclusive method) or excluded (often referred to as a carve-out) from the examination. Below is an example of carve-out language in an opinion:

Example service organization uses ABC Computer subservice organization to perform aspects of its computer processing. The description of the system in section III of this report includes only the control objectives and related controls of Example service organization, and excludes the control objectives and related controls at ABC Computer subservice organization. Our examination did not extend to controls at ABC Computer subservice organization.

2

If subservice organizations are excluded from the examination, you need to assess the risks posed to your organization related to the services provided by these subservice organizations. If you deem one or more of these subservice organizations important to your organization, you need to determine how you are going to gain comfort with that organizations controls in any of the following ways: ObtainingaseparateSOC1report

from the subservice organization Conductingyourownreviewofthe

controls in place at the subservice organization

Requestingyourserviceorganizationexpand the scope of its SOC 1 report to include the subservice organization(s) in future reports

Yourexternalauditormayhavetoconduct specific procedures related to the controls in place at the subservice organization(s)

Third, you need to determine whether the SOC 1 report is a Type I or a Type II report. The biggest difference between a Type I and a Type II report is the opinion on operating effectiveness. This opinion is provided only for a Type II report. Most service auditors will request a Type II report because it covers controls that were in place and operating for a period of time. Because the Type II report covers a period, it also includes a description of significant changes to the system during that period. The Type I report is as of a specific date.

Example opinion language1. The description fairly presents the

system (e.g., the description of the relevant controls of the Company) that was designed and implemented throughout the period January 1, 2011, to December 31, 2011. (Note: A Type I report is for a point in time.)

2. The controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period January 1, 2011, to December 31, 2011. (Note: A Type I report is for a point in time.)

3. The controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period January 1, 2011, to December 31, 2011. (Note: This opinion is applicable only to a Type II report.)

If the above statement (3) is absent from the report, you are reading a Type I report; its value to your organization is rather limited because it does not offer any assurance that the controls were operating effectively over a specified period of time.

Guide to understanding Service Organization Control (SOC) 1 reports

Fourth, you may also find modified language within the service auditors opinion that identifies exceptions to either the design of controls, the presentation of the system, or the operating effectiveness of controls due to matters encountered during the service auditors examination and testing. Modifications to the standard opinion language are indicative of issues large enough that the service auditor believes they may have a significant effect on the reliance the user organization and user auditor may place on the related controls. However, despite the inclusion of this language, a reader still needs to review the entire report to determine whether the matters identified in the opinion and any other exceptions identified in the service auditors description of tests of controls and related results affect your services. For example, if the affected control objective is not applicable to you, the user entity, either because your organization does not use that service or because you have other controls in place at your organization to mitigate the risk associated with that exception, then you may not be negatively impacted by the exception and the related modification made to the opinion by the service auditor.

We would also mention that the Information provided by the service auditor section of the report discloses any exceptions to specific control activities, even when such exceptions do not result in the failure to achieve a specific control objective. Such exceptions are not always included in section I (the service auditors opinion section) of the report. However, because each user of the service organizations services may have slightly different risks, or may rely upon the service organization for different controls, it is important to carefully review section IV of the report, which details the service

Key difference: Type I vs. Type II

ATypeIreportdoes not include testing or an opinion related to the operating effectiveness of controls over a specified period of time.

Key questions to ask yourself

Scope: Does the report address the service organizations activities relevant to your organization? Subservice organizations: Does the report include or exclude the controls at important subservice

organizations? Type I vs. Type II: Is the report a Type I or a Type II report? Period: Does the period examined satisfy the requirements of your organization and your external auditor?

3

auditors testing of specific controls and any exceptions noted. It may be that the exceptions noted are more impactful to one user entity than to another. So again, you must understand what risks you need to address in order to properly evaluate the content of the SOC 1 report as it applies to your organization.

II. Managements assertionFor SOC 1 reports, management is now required to include a written assertion to accompany the service auditors opinion. Managements assertion may be in a separate section of the report or included in the section containing its description of the system. If a subservice organization is included within the scope of the examination (inclusive method), the subservice organization would also provide a written assertion to be included within the SOC 1 report. This essentially means that the service auditors tests of controls were extended to the subservice organization.

Managements written assertion covers the following: Thefairpresentationofthe

description of the system Thesuitabilityofthedesignof

controls and verification that they were implemented as of a specific date (Type I) or throughout the period (Type II)

Theoperatingeffectivenessofcontrolsthroughout the period (Type II)

Therelevantchangestothesystemthroughout the period (Type II)

Managements assertion is based on several criteria that are outlined in SSAE 16. Criteria are basically the standards and benchmarks used to measure and evaluate the service organizations controls.

It is possible that due to issues or exceptions that have come to managements attention, managements assertion letter is modified such that except for or other exclusionary language is added by management to the letter. Further, it is possible that the service organization may try to omit or clarify certain criteria from the description criteria outlined by the AICPA relative to the services it provides. It is therefore critical to read the management assertion letter carefully and ensure that you understand the description criteria that apply to the service organization and that you are aware of managements opinion relative to the scope of the SOC 1.

Youshouldalsobeawareofcontrolsthat management has included within its system, and that support the achievement of control objectives or description criteria, that need to be performed by the user entity. In some cases, management of the service organization assumes that certain controls will be implemented by the user entity. These are commonly referred to as complementary user entity controls; they are described in the description of the system. The control objectives stated in the description can be achieved only if these complementary user entity controls are suitably designed and operating effectively, along with the controls at the service organization.

Guide to understanding Service Organization Control (SOC) 1 reports

The service auditor does not evaluate the suitability of the design or operating effectiveness of complementary user entity controls, but managements assertion includes its assessment as to whether such controls are needed.

III. Service organizations description of the system (written by service organization management)A SOC 1 report includes the service organizations description of the system. Generally, this section should, at a minimum, include a description of the following: Servicesprovided Descriptionofthecontrol

environment, risk assessment, control activities, information and communication, and monitoring (e.g., the Committee of Sponsoring Organizations of the Treadway Commission elements)

Proceduresbywhichservicesareprovided, transactions are accounted for and related accounting records

Key points related to the service auditors report

Generally,controlsmustbeinplaceforaminimum of six months in order for the service auditor to opine on operating effectiveness (Type II).

Scopeisdefinedbytheserviceorganization,not the service auditor.

Controlobjectivesandrelatedcontrolsaredefined by the service organization, not the service auditor.

Generally,onlyexceptionsthatresultinthefailuretoachieveacontrolobjectivearedisclosed in the service auditors opinion/report.

Key points related to managements assertion

Managementswrittenassertionisnowrequired,soyoushouldexpecttoseeitwithinthereport. Iftheinclusivemethodisusedforasubserviceorganization,itswrittenassertionshouldalsobeincluded

within the report. Payattentiontomanagementsdeclarations,particularlywhenmanagementindicatesthesystemisfairly

presented, suitably designed or operating effectively except for certain matters. Alsoconsidertheneedtoimplementcomplementaryuserentitycontrolsatyourorganization.

4

Captureandaddressofsignificantevents other than transactions

Reportpreparationprocess Controlobjectivesandrelatedcontrols Complementaryuserentitycontrols Controlactivitiesandmonitoring

controls Subserviceorganizationcontrols

There should be sufficient information provided so that the user entity can understand how the service organizations processing relates to user entities financial reporting. This section should also provide a description of the IT environment, including which systems are in use, and the related IT general computer controls (ITGC) and objectives. ITGCs should include controls related to logical and physical access, program change control, operations and relevant application controls. Contingency planning, such as disaster recovery or business continuity plans, should not be included within this section because a plan or forward-looking statement cannot be a control. If a service organization chooses to include this type of information, it would be found in section V of the report under supplemental material provided by the service organization.

An important component of the information provided by the service organization is a section addressing complementary user entity controls. This section of the report should not be overlooked. It describes the control activities that the service organization expects to be in place at the user entity (your organization). These controls can be critical to the design of the service organizations controls and the assessment of the suitability of the design of controls to achieve the stated control objectives.

The service auditor does not perform test procedures to determine operating effectiveness of the controls identified as complementary user entity controls. Rather,theuserentityisresponsiblefor ensuring that the stated controls are inplaceandoperatingeffectively.Youalso need to evaluate whether or not the stated user entity controls apply to your organization.

As an example, assume that a service organization administers application security access for your organization. The service organization may include the following control activity as a complementary user entity control:

The user entity will review logical security access no less than quarterly and notify the service organization of any additions, deletions and/or changes to security access that need to be made.

This complementary user entity control is highlighting that it is the user entitys responsibility to ensure that a quarterly access review is completed and includes the attributes named. With that being stated, it may not be possible for a user entity to conduct this review without

Guide to understanding Service Organization Control (SOC) 1 reports

support from the service organization. For example, it may be the user entitys responsibility to obtain from the service organization the necessary information to conduct the stated review.

IV. Control objectives, control activities and tests performedTypically, the control objectives and related control activities specified by the service organization, the description of control tests performed by the service auditor, and results of those tests are presented in a tabular format within a separate section of the report. Before you even begin to read this section, formulate your own list of control objectives and control activities you think are critical to your internal controls. Then you can perform a gap analysis by mapping those control objectives and activities to the SOC 1 report.

Key points related to managements assertion

Managementsdescriptionofcontrolsmayincludecontrolactivitiesthatareoutofscopeandnottestedby the service auditor.

Controlobjectivesandrelatedcontrolsaredefinedbytheserviceorganization,nottheserviceauditor. Complementaryuserentitycontrolsareidentifiedbytheserviceorganization.

Key points related to complementary user entity controls

Theuserentity(yourorganization)isresponsibleforensuringthatcomplementaryuserentitycontrolsarein place and operating effectively.

Theserviceauditordoesnotopineontheoperatingeffectivenessofthesecontrols. Youneedtobesurethattheserviceorganizationprovidesyouwiththenecessaryinformation,ifunderits

custody, for your organization to execute the stated controls.

5

In accordance with professional standards, a service organization should not purposefully exclude from the report control objectives and/or control activities they know are relevant to a user organizations internal control over financial reporting. Unfortunately, this situation sometimes occurs. In our experience, the following list represents some of the situations we have encountered wherein a service organization has requested the removal of a control objective or control. Some of these are legitimate, while others are not: Thecontrolsmaynotbeimplemented

or operating effectively to achieve the related control objective. (Not an appropriate reason under SSAE 16 unless disclosed in the service auditors opinion and managements assertion)

Acontrolobjectiveandrelatedcontrols may be specific to only one (or a few) of the service organizations clients (customers), and the service organization wants the SOC 1 report to apply to the majority of its clients (customers). (Normally considered an appropriate reason under SSAE 16)

Acontrolobjectiveandrelatedcontrols may not be operating at the service organization because the related activities are outsourced to a subservice organization. (Normally considered an appropriate reason under SSAE 16 as long as appropriate disclosures are included within the report)

Acontrolobjectiveandrelatedcontrols may be totally dependent upon the user entity (your organization). (Normally considered an appropriate reason under SSAE 16)

Acontrolobjectiveandrelatedcontrols may be too costly to include. (Not an appropriate reason under SSAE 16 unless disclosed in the service auditors opinion and managements assertion)

As you review a SOC 1 report, be sure that the control objectives and control activities included address risks that are important to your organization and are adequately addressed by the SOC 1 report. If not, consider the completion of additional procedures, including a visit to the service organization to conduct your own evaluation of the gaps, or engagement of a public accounting firm to conduct an agreed-upon procedures engagement to test the controls you believe are relevant but were excluded from the SOC 1 report.

Also, you should read the control objectives and control activities carefully and against the backdrop of your relationship with the organization. Even if a control objective was achieved and no exceptions were noted by the independent auditor, you still maintain responsibility for comparing the work performed againstyourexpectations.Youneedtobe sure the control objectives and control activities seem suitable or adequate to your organizations needs. Control objectives and related controls may be written so narrowly that your expected control is not really addressed in the SOC 1 report.

For example, you may find a control such as the following: Logical access granted to employees of the service organization is approved by the supervisor of computer operations. Further, you see that the independent auditor tested the control and reported no exceptions.

Guide to understanding Service Organization Control (SOC) 1 reports

However, note that the control activity, as stated, addresses only access granted to employees of the service organization. What about controls related to access granted to non-employees (e.g., contractors, subservice organizations, temporary staff and employees of the clients/customers)? Also, are you satisfied that the individual (i.e., supervisor of computer operations) authorized to approve logical access to your environment is appropriate?

When reading the description of tests performed by the service auditor, be sure that you are comfortable with the testing that was performed. Typical methodologies applied to testing are: inquiry, inspection, observation,and/or re-performance.

Be sure that the applied testing methodology is appropriate for the stated control. Pay special attention to tests where inquiry was the only test procedure performed. Typically, inquiry should not be the only method applied to testing controls. This is especially true when the auditors report covers a period of time. Ideally, controls tested via inquiry should also be tested via at least one other testing method (e.g., inspection, observation and/or re-performance).

Key points related to control objectives, control activities and tests

Controlobjectivesandcontrolactivitiesarespecifiedbytheserviceorganization,nottheserviceauditor. Youshoulddeterminethetypesofcontrolobjectivesandrelatedcontrolactivitiesthatarerelevanttoyour

organization to identify any gaps between your needs and the SOC 1 report. Evaluateanddiscussgapswiththeserviceorganization,andtakeappropriateactiontogaincomfortthat

the controls at the service organization are adequate.

6

When reviewing the results of the service auditors tests, it may be important to perform a self-assessment of the test results. For example, as you review the test results relating to a particular control and note an exception, look for the service auditors comments relating to that exception, and then apply your own experience and knowledge. And do not forget that a service organization can fulfill the requirements for and receive an unqualified opinion (all control objectives were achieved) even though the service auditor identified exceptions duringthetestofcontrols.Youmaywant to discuss the exception(s) with the service organization and/or consider the effectiveness of any mitigating controls that may or may not be a part of the SOC 1 report.

Finally, management is normally requested to respond to each exception notedintheSOC1report.Youshouldread managements responses and decide if you are satisfied with its response. Ideally, managements response will include a remediation plan. The service auditor renders no opinion on managements response.

V. Supplemental information from the service organizationA separate section of the report may include additional information that the service organization wants to disclose but that is not subject to the procedures performed by the service auditor. Items such as a disaster recovery plan, a business continuity plan or a strategic plan may be included within this section. It is important to note that the service auditor does not express an opinion or provide any assurance on such additional information.

ConclusionThe author Henry David Thoreau pointed out, It takes two to speak the truth one to speak and the other to hear. By taking the time to read and understand the information provided in a SOC 1 report, you will have the ability to obtain incredible insight into your service providers internal controls. Use this guide to empower yourself to find the information and answers you need to make sound decisions, and actively participate in protecting your organization when dealing with outsourced service providers.

Guide to understanding Service Organization Control (SOC) 1 reports

Contact informationOrus DearmanDirector, Business Advisory ServicesT 703.637.4133E orus.dearman@us.gt.com

Brett WilliamsPartner, Business Advisory ServicesT 404.475.0015E brett.williams@us.gt.com

ThepeopleintheindependentfirmsofGrantThorntonInternationalLtdprovidepersonalizedattentionandthehighestqualityservicetopublicandprivateclientsinmorethan100countries. GrantThorntonLLPistheU.S.memberfirmofGrantThorntonInternationalLtd,oneofthesixglobalaudit,taxandadvisoryorganizations.GrantThorntonInternationalLtdanditsmemberfirms arenotaworldwidepartnership,aseachmemberfirmisaseparateanddistinctlegalentity.IntheU.S.,visitGrantThorntonLLPatwww.GrantThornton.com.

Contentinthispublicationisnotintendedtoanswerspecificquestionsorsuggestsuitabilityofactioninaparticularcase.Foradditionalinformationontheissuesdiscussed,consultaGrantThorntonclient service partner.

GrantThorntonLLPAllrightsreservedU.S.memberfirmofGrantThorntonInternationalLtd

7