Page 138 - CITP Review
P. 138
Report on controls at a service organization relevant to security, availability, processing
integrity, confidentiality, or privacy (SOC 2 or SOC 3)
These reports provide assurance over controls at a service organization related to security, availability,
processing integrity, confidentiality, and privacy. Type 1 SOC 2 reports examine whether the service
organization’s description presents the system that was designed and implemented as of a point in time
in accordance with the description criteria and whether controls were suitably designed as of a point in
time to provide reasonable assurance that the service organizations’ service commitments and system
requirements were achieved based on the applicable trust services criteria. A type 2 SOC 2 report also
addresses the description of the system and the suitability of design of controls, but it also contains an
opinion on the operating effectiveness of the controls.
Intended users for this type of report include entities who are knowledgeable about the following:
The nature of the services provided by the service organization
How the service organization’s system interacts with user entities, business partners, subservice
organizations, and other parties
Internal control and its limitations
Complementary user entity controls and complementary subservice organization controls and how
those controls interact with the controls at the service organization to achieve the service
organization’s service commitments and system requirements
User entity responsibilities and how they may affect the user entities’ ability to effectively use the
service organization’s services
The applicable trust services
The risks that may threaten the achievement of the service organization’s service commitments and
system requirements, and how controls address those risks
Service organizations may want to provide prospective customers with information about controls at the
service organization addressed by SOC 2 examinations; however, prospective customers may not have
sufficient knowledge about the system to understand the information presented in the report. SOC 3
reports, which are general use reports, may be more appropriate in these situations. In a SOC 3
examination, service organization management prepares a written assertion about whether the controls
within the system were effective to provide reasonable assurance that the service organization’s service
commitments and system requirements were achieved based on the applicable trust services criteria.
Management also describes the boundaries of the system and the service organization’s principal
service commitments and system requirements. The service auditor provides an opinion on whether
management’s assertion was fairly stated based on the applicable trust services criteria. Unlike a SOC 2
report, a SOC 3 report does not include a description of the system, so the detailed controls within the
system are not disclosed. In addition, the SOC 3 report does not include a description of the service
auditor’s tests of controls and results thereof.
32
Exhibit 3-14 identifies features of each of these SOC for Service Organizations engagements.
In the attestation standards, a CPA performing an attestation engagement ordinarily is referred to as a
practitioner; however, for SOC for Service Organizations engagements the term service auditor, rather
32
See www.aicpa.org/interestareas/frc/assuranceadvisoryservices/cpas.html, accessed August 28, 2019.
© 2019 Association of International Certified Professional Accountants. All rights reserved. 3-54
