Service Organization Controls (SOC) reports are developed for third-party service providers and issued by Certified Public Accountants (CPAs). The reports provide information on a service organization’s internal controls, policies, and procedures which could impact their client’s financial and other sensitive data.
Clients of a third-party service provider (called user entities) may need the SOC report to comply with regulatory requirements. These reports allow user entities to obtain an objective evaluation of the effectiveness of controls that address the compliance, operations, and financial reporting of a service organization.
Reporting options developed by the AICPA include SOC-1 and SOC-2.
SOC-1 reports are focused on controls relevant to a user entity’s financial audit and focus on the service organization’s business processes and information technology. For instance, payroll service providers, or any service organization processing financial transactions on behalf of another company such as NBS, would typically obtain a SOC-1 examination to show that it has adequate controls and safeguards over its client’s financial data. A SOC-1 report is designed for the user entity’s external auditors who need assurance on the service organization’s controls since they are relevant to the user entity’s financial statement audit.
SOC-2 is based on Trust Services Criteria relevant to security, confidentiality, availability, processing integrity, and/or privacy. Typically, service organizations such as NBS subject themselves to a SOC-2 audit to demonstrate to clients or prospective clients that they have adequate controls relating to security, confidentiality, availability, processing integrity, and/or privacy.
There is some overlap between SOC-1 and SOC-2 reports. However, the subject matter and scope of SOC-1 primarily includes internal controls and financial reporting, whereas the subject matter and scope of a SOC-2 includes controls at a service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy.
The intended user of a SOC-1 report is the external financial statement auditor of the user entity, whereas the intended user of a SOC-2 report is any relevant party that is knowledgeable about the services provided and has a credible need for obtaining the assurances information included in the report.
Yes. A SOC report will contain the auditor’s opinion covering these three areas:
If these items are achieved by the service organization, the SOC auditor issues an “unqualified” opinion. If the above items are achieved but the auditor finds significant exceptions (such as a control objective that was not in place or was ineffective), the service auditor issues a “modified opinion.” If, however, the service organization materially fails one or more of the above, the SOC auditor issues an “adverse” opinion.
There are two types of SOC-1 and SOC-2 reports: Type-1 and Type-2.
Type-1 reports describe the service organization’s controls at a point in time. It includes the service auditor’s opinion, management’s assertion, and the description of the system. In addition to the information appearing in a Type-1 report, a Type-2 report also includes an assessment of the operating effectiveness of controls over a period of time.
NBS is audited annually by an independent CPA firm which issues both SOC-1 Type-2 and SOC-2 Type-2 reports. Our efforts in this examination and audit process demonstrate an ongoing commitment to our clients to serve as a dependable, transparent, secure TPA focused on minimizing risk (through effective controls), increasing value, and maintaining service standards. Our clients have confidence in their decision to partner with NBS knowing we are committed to quality and strong internal controls. For a copy of one of our SOC reports, please contact your NBS relationship manager.