Page 136 - CITP Review
P. 136
System and organization controls reporting
In 2017, the AICPA introduced the term system and organization controls (SOC) to refer to the suite of
services practitioners may provide relating to system-level controls of a service organization and system-
or entity-level controls of other organizations. Formerly, SOC referred to service organization controls. By
redefining that acronym, the AICPA enables the introduction of new internal control examinations that
may be performed (a) for other types of organizations, in addition to a service organization’s, and (b) on
either system-level or entity-level controls of such organizations. The following are designations for five
such examinations in the SOC suite of services:
®
1. SOC 1 —SOC for Service Organizations: ICFR
®
2. SOC 2 —SOC for Service Organizations: Trust Services Criteria
®
3. SOC 3 —SOC for Service Organizations: Trust Services Criteria for General Use
4. SOC for Cybersecurity (discussed in chapter 1 of this course)
SOC for Service Organizations
IT governance becomes more challenging in a service organization environment due to the structure of
these organizations and their relationship to the nature and location of IT controls. The following sections
provide background on how service organizations differ in terms of IT risk and the ways in which this risk
is managed and reported.
Service organizations present a unique IT risk in that, for the most part, the controls are outside the entity
and not under the control of the entity’s management. There is a way to minimize or mitigate this risk of
controls at the third-party provider.
For the CITP, third-party providers and service organization issues focus on the outsourcing of IT
services. Entities might outsource the IT help desk, IT support (for example, network support), application
development, or processing of some accounting process (for example, payroll).
The native risk associated with outsourcing needs to be addressed, specifically the nature and
effectiveness of necessary controls at the service organization associated with the service being
provided. Basically, the need here is twofold: is the vendor reliable and does the vendor have adequate
controls? Does the vendor have sufficient and effective controls to mitigate the IT risks associated with
the process and data being outsourced?
Reporting purposes and intended users
A CPA may be engaged to examine and report on controls at a service organization related to various
types of subject matter, for example, controls that affect user entities’ financial reporting or controls that
affect the security, availability, and processing integrity of the systems or the confidentiality or privacy of
the information processed for user entities’ customers. The applicable attestation standard for such
engagements may vary depending on the subject matter. To make CPAs aware of the various standards
available to them for examining and reporting on controls at a service organization, and to help CPAs
© 2019 Association of International Certified Professional Accountants. All rights reserved. 3-52
