January 23, 2019

SOC reports: What your service organization needs to know

Systems and Organization Control (SOC) reports may be little known outside of accounting and auditing circles, but can prove pivotal to your service organization. These reports provide objective insight into controls that impact financial reporting, security, availability, processing integrity, confidentiality and privacy for user entities (i.e., any person or company that utilizes your firm’s services).

SOC reports serve as a credible, third-party attestation of controls at a service organization, and therefore provide assurance to user entities, and add value to the services offered by the service organizations.

If you are a manager or on the Board of Directors of a service organization (e.g., payroll processors, job recruiters, marketing consultants, cloud-hosting companies, data centers, etc.), it is in your best interest to ensure that you are doing everything possible to protect your user entities and perform your services in a completely accurate and secure way. The best way to provide this assurance to your user organizations is to have a third party conduct a SOC report. This can also serve as a huge competitive advantage, as you will appear more transparent than others in the industry that do not have the attestation of a third-party.

Once you’ve decided to obtain a SOC report, the next step is to determine which type of report is necessary for the services you offer. There are three main reports to consider:


According to the American Institute of Certified Public Accountants (AICPA), SOC 1 reports analyze controls at a service organization relevant to user entities’ internal controls over financial reporting.

For example, many companies utilize an outsourced service provider to process their payrolls. Any errors made by that payroll processing entity can adversely impact financial reporting for the user entity. Because of this risk, user entities often request to audit their payroll processors to ensure effective controls are in place.

In the past, service providers would be inundated with these audit requests, which were expensive and time-consuming to execute. Today, many service providers will instead proactively hire a third party like CBIZ to analyze their controls via a SOC 1 report that can be held on file for future use, and to attest to their user organizations that their controls are effective.


SOC 2 reports are intended for reporting on controls at a service organization relevant to these five categories: security, availability, processing integrity, confidentiality or privacy.

For example, let’s say a company outsources its IT infrastructure by utilizing the services of a cloud provider or data center. Although this service won’t necessarily impact financial reporting, the user entity should still ensure that its cloud-hosting, or data center provider adequately protects its servers and its users’ sensitive data. A SOC 2 report will accomplish that task, and can be applied to any combination of the five categories mentioned above.


SOC 3 reports are fairly rare in the industry. Similar to a SOC 2 report, it is intended to offer a third-party opinion about controls at a service organization that may affect the security, availability, processing integrity, confidentiality or privacy of a user entity.

However, there are two key differences. The first is that a SOC 3 report does not provide detail about the design, suitability or performance of those controls. It essentially just answers the question, “Does the service organization maintain effective controls?”

Additionally, only user entities that work directly with a service organization can request a SOC 1 or SOC 2 report, whereas SOC 3 reports are accessible to anyone once one is made available.

Changes in 2019

As of Dec. 15, 2018, SOC 2 reporting standards were updated to include various criteria changes that will impact companies seeking to obtain this type of report. According to the AICPA, the changes accomplish three important goals:

  1. They have aligned the criteria with the 2013 Internal Control Integrated Framework recommended by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This framework is commonly utilized to assess the design and implementation of internal controls.
  2. Cyber security risks are better addressed within the framework.
  3. Increased the flexibility of the report application.

Although these revisions will likely add to the time and dollars associated with conducting SOC reports, the benefits include more comprehensive coverage and communication of controls.

In summary, service organizations should strongly consider SOC reports, even in the absence of a formal user entity request. There is great value of being confident in the effectiveness of the company’s internal controls, and having the peace of mind that due diligence was executed on behalf of clients.

If you have any questions or would like more information about how CBIZ can help with SOC reports, feel free to email Ray Gandy directly at rgandy@cbiz.com.

Cyber risk assessment screenshot


blog comments powered by Disqus

Insights in Your Inbox
Find Us
  • OR