select the appropriate standard for a particular engagement, the AICPA has developed 3 different SOC for
            Service Organizations engagements (SOC 1®, SOC 2® and SOC 3®) that involve reporting on controls at
            a service organization.

            In essence, an SOC report discusses the design effectiveness, implementation, and operating
            effectiveness of the identified controls being examined at a service organization. A type I report
            addresses only the first two aspects of the controls and a type II addresses all three.


            Responsibilities
                                                         31
            Responsibilities in SOC reporting are as follows:
              The service auditor is the auditor performing the SOC examination.
              The service organization is the organization that provides services to user entities.
              The user entity is the organization that uses a service organization.
              The user auditor is the auditor performing audits for a user entity.
              The subservice organization is the organization used by another service organization to perform
               services for user entities.




            Types of reporting

            There are two main types of SOC for Service Organizations reporting: reporting on controls at a service
            organization relevant to user entities’ internal control over financial reporting (SOC 1), and reporting on
            controls at a service organization relevant to security, availability, processing integrity, confidentiality, or
            privacy (SOC 2 or SOC 3).


            Report on controls at a service organization relevant to user entities' internal control over
            financial reporting (SOC 1)
            This type of reporting examines controls at a service organization that are likely to be relevant to user
            entities’ internal control over financial reporting. Service organizations frequently receive requests from
            user entities for these reports because they are needed by the auditors of the user entities’ financial
            statements (user auditors) to obtain information about controls at the service organization that may
            affect assertions in the user entities’ financial statements. It evaluates the description of a service
            organization’s system and the suitability of the design and implementation of its controls to achieve
            control objectives. This type of reporting may also include an evaluation of the operating effectiveness of
            those controls throughout a specified period that describes in detail the tests of controls and testing
            results by service auditors.

            User auditors reading this report are looking for the controls directly related to the assessed level of risk
            in the RMM. The user auditors would decide if the report properly addressed all of the controls or not, as
            well as the impact of the results of the procedures performed by the service auditor.


            31
              Definitions are from AICPA. Reporting on an Examination of Controls at a Service Organization Relevant to User
            Entities’ Internal Control Over Financial Reporting (SOC 1®) Guide. Durham, NC: AICPA, 2017.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-53