Professional Documents
Culture Documents
Why SOC?
Nowadays, it is typical for companies to outsource to a service entity various duties and
responsibilities that are relevant to their business, including functions which are important and essential to
their daily business undertakings. In effect, the organization is able to minimize their costs while
increasing their core competencies. However, the American Institute of Certified Public Accountants
reported that each time user entities outsource tasks from service organizations, the service firms’ risks
also become the user entities’ risks. The increasing demand for outsourcing and the risks associated with
it has led to a more formalized system of monitoring and supervising the processes of service
organizations in the form of Service Organization Controls (SOC) reporting. Through this framework,
service organizations can now acquiesce and satisfy the demands for assurance of user entities and the
user auditors who utilize these reports when assessing and evaluating the user entities’ financial
statements. Among the SOC reports is SOC 1, which is released for activities that adhere to the
Statement on Standards for Attestation Engagements No. 16 (SSAE 16).
Objectives of SOC 1
The primary purpose of SOC 1 is to report controls pertinent to the user entities’ internal controls
over financial reporting. In addition, SOC 1 intends to establish trust and confidence with the service
organizations’ clientele. Having SOC 1 reports is useful not only for user entities, but also for service
organizations in determining the quality of services the service organizations provide. However, the use of
SOC 1 report is limited to the management, their clients, and their clients’ auditors, hence SOC 1 cannot
be utilized as a marketing document (e.g. displaying SOC 1 report on the service organization’s webpage
as a “seal of approval”).
Choosing SOC 1
Since there are three SOC reporting — SOC 1, SOC 2, and SOC 3 — to choose from, ensuring
that the appropriate reporting option will be used is important. SOC 1 is only fitting if the service
organization’s clients and their auditors will utilize this report in planning and conducting a financial
statement audit.
With SOC 1 reports, plan managements examine and check their controls and ascertain if these
controls are working or not. More so, they will be able to determine the dearth in the controls and look at
the feedback or reactions of the service providers. In effect, the management can create a resolution and
assess if switching to a new service provider is ideal and necessary.
Conclusion
From the perspective of the business doing the outsourcing, SOC 1 report is a necessity with
regards to financial auditing and will most likely be requested by the accounting firm. Furthermore, SOC 1
report will allow an entity to closely monitor its vendor to ensure that the entity is receiving quality
services. Moreover, SOC 1 report will allow the entity to evaluate and assess risks associated with
outsourcing not only its financial transactions, but also other important business functions. SOC 1 is
undoubtedly an important risk assessment tool for the user and is a way to hold the service organizations
accountable in providing the services agreed to.