woman with a yellow button up shirt on sitting at a desk in a relaxed home office typing.
Tax & Accounting January 25, 2022

Data Security in the Cloud: SOC Reports for Service Organizations

Many entities outsource aspects of their business activities to organizations that provide services ranging from performing a specific task under the entity’s direction to replacing entire business units or functions of the entity. Due to the integral nature of many of these outsourced / cloud-hosted services to the customer’s business operations, many technology providers have implemented the best practice of obtaining security operations center (SOC) reports to substantiate their controls over client data are adequate.

Some of the services covered by SOC reporting include:

  • Application Service Providers (ASP)
  • Cloud Computing, Virtualization, On-Demand Computing Services
  • Data Center and Co-Location Providers
  • Internet Service Providers (ISP)
  • Managed Services
  • Payroll Services
  • Print and Mail Delivery
  • Social Media | Content Tagging and Aggregators
  • Software as a Service (SaaS)
  • Tax Credit and Empowerment Services
  • Third-Party Administrators (TPA)
  • Web Design, Development, and Hosting

Before we dive deeper into SOC reporting, it’s important to note that while SOC reports apply to cloud solutions, they can only be performed on a service provider – SOC reports cannot be performed on a solution provider.

Why am I making this distinction? Where the information is housed matters.

Solution providers will license or sell software that you choose to install on-premise. When the software is hosted on-premise, the CPA Firm controls all aspects of security, availability, and processing integrity, not the technology provider. There is no basis for a SOC report because the CPA firm controls all aspects of the data.

Meanwhile, a service provider – who may potentially be licensing the same software or solution that the solution provider installs on-premise – is hosting you in the cloud. The technology provider controls security, availability and processing integrity because your data and information are hosted in their cloud environment. Therefore, the applicable SOC report can (and should) be requested.

User Entities and Responsibility

SSAE 18 defines a user entity as a business that engages the services of a service organization (also referred to here as technology providers). We’ll be talking about ‘user entity’ in the context of a CPA firm and their use of service organizations.

Generally, when a CPA firm engages another business to perform processes or functions on its behalf, the CPA firm exposes itself to additional risks related to that business’ system. Partners of the CPA firm can, of course, delegate tasks or functions to a service organization. However, a CPA firm cannot delegate ownership and responsibility for the product or service provided.


The CPA firm’s partner(s) are usually held responsible by clients, regulators and others for establishing effective internal controls over outsourced functions.


To gain assurance that the service organization is appropriately processing the CPA firm’s transactions or workflows, service organizations engage service auditors to evaluate and measure their systems and services against suitable criteria and to opine on the acceptability of these systems and services.

There are several types of SOC reports, each having a specific purpose and intended audience. Let’s dive into four of them a little more deeply below.

Tax & Accounting Resources

Audit Talks Podcast

Learn from Audit Experts at Your Convenience

SOC 1® – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR)

Prepared under SSAE 18 section AT-C 320, these reports are specifically intended to meet the needs of entities that use service organizations and the CPAs that audit the user entities’ financial statements. The use of these reports is restricted to the service organization’s management, user entities, and auditors.

There are two types of reports for SOC 1 engagements, Type 1 and Type 2. While both types report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description, a Type 1 report is as of a specified date (single point in time). In contrast, a Type 2 report is throughout a specified period (usually a 6-12 month period).

Many organizations will start with a SOC 1 Type 1 report before obtaining their SOC 1 Type 2 report. Armed with the results of the Type 1, these organizations are better equipped to create a remediation plan that would ensure a favorable Type 2 report.

When does it make sense for you to ask your technology provider for a copy of their SOC 1 report?

If your technology provider is hosting financial information that could affect financial reporting, I strongly recommend requesting a copy of that provider’s SOC 1 report.

SOC 2® – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (Trust Services Criteria)

Prepared under SSAE 18 sections AT-C 105 and 205, these reports provide information about the security of controls, and optionally also the availability, confidentiality, privacy and processing integrity of the systems used to process users’ data.

Management of an entity also may use the TSC to evaluate the suitability of design and operating effectiveness of such controls. As a result, these reports can play an important role in the organizational oversight, provider management programs, internal corporate governance and risk management processes, and regulatory oversight. Generally, only parties with an understanding of the service organization and its controls may use these reports.

SOC 2 reports types are similar to SOC 1. There are two types of reports, Type 1 and Type 2. A Type 1 report is as of a specified date (single point in time), whereas a Type 2 report is throughout a specified period (usually a 6-12 month period). SOC 2 reports focus on the suitability of management’s description of a service organization’s system and the design of controls utilizing the TSC.

As with SOC 1 reports, many organizations will start with a SOC 2 Type 1 report and use the results of that report to create a remediation plan that would ensure a favorable Type 2 report.

When does it make sense for you to ask your technology provider for a copy of their SOC 2 report?

If that provider is hosting non-financial information, you want to ensure that they are securely handling your data and that your data will be available to you in the manner that it was contractually written to be available to you, I strongly recommend requesting a copy of that provider’s SOC 2 report.

Research & Learning

CCH® Accounting Research Manager® delivers interpretive guidance and authoritative content needed to confidently make accounting, financial reporting and audit decisions.

 

SOC for Cybersecurity

Prepared under SSAE 18 sections AT-C 105 and 205, SOC for Cybersecurity is a cybersecurity risk management examination introduced by the AICPA in April of 2017. This report is designed to provide general users with useful information about an entity’s cybersecurity risk management program for making informed decisions.

This report is intended for a broad range of users whose decisions might be affected by the effectiveness of the entity’s cybersecurity risk management program, including management, directors, and other stakeholders.

SOC for Cybersecurity reports types are similar to both SOC 1 and 2 reports. There are two types of reports, Type 1 and Type 2. A Type 1 report is as of a specified date (single point in time), whereas a Type 2 report is throughout a specified period (usually a 6-12 month period). SOC for Cybersecurity reports focuses on the effectiveness of controls within the entity’s cybersecurity risk management program to achieve the entity’s cybersecurity objectives based on the control criteria.

And as with SOC 1 and 2 reports, many organizations will start with a SOC for Cybersecurity Type 1 report and use the results of that report to create a remediation plan that would ensure a favorable Type 2 report.

The SOC 2 and SOC for Cybersecurity report contents are structured similarly. However, there are a few key differences. While both report components are related to the service organization’s system and effectiveness of controls, a SOC 2 report relates to the Trust Services Criteria. In contrast, SOC for Cybersecurity reports on the entity’s cybersecurity risk management program.

Because a SOC for cybersecurity report is considered appropriate for general use, it will not be as detailed as a SOC 2 report. For example, a SOC for cybersecurity report does not contain a detailed description of the controls tested by the auditor, the test procedures, or the results of the test procedures.

The AICPA has an excellent resource center devoted to SOC for Cybersecurity reporting.

When does it make sense for you to ask your technology provider for a copy of their SOC for Cybersecurity report?

If you have concerns or would like assurance regarding the nature of your technology providers’ plans to keep your data safe – or if your technology provider has a history of data breaches, I strongly recommend requesting to review their SOC for Cybersecurity report.

SOC 3® – Trust Services Criteria for General Use Report

Not all users have the need for or knowledge necessary to make use of a SOC 2 report. Those users have the SOC 3 report.

Prepared under SSAE 18 sections AT-C 105 and 205, SOC 3 reports provide assurance about the controls at a service organization that affects the security, availability, and processing integrity of the systems used by a service organization to process users’ information. It also provides assurance about the confidentiality or privacy of that information.

Unlike SOC 1 and SOC 2 reports, which have a restricted distribution, SOC 3 reports are for general use, designed to be relevant to current and prospective customers. Some technology providers will use SOC 3 reports as a marketing tool to demonstrate that they have appropriate controls in place to mitigate risks related to security, privacy, etc.

And while the same standard governs SOC 2 and SOC 3 reports – AT-C 105 and 205 – unlike a SOC 2 report, a SOC 3 report will only ever be a Type 2 report. Therefore, a SOC 3 report will always report on the suitability of management’s description of a service organization’s system and the design and operating effectiveness of controls throughout a specified period.

Due to its general use nature, a SOC 3 report does not contain a detailed description of the controls tested by the auditor, the test procedures, or the results of the test procedures.

When does it make sense for you to ask your technology provider for a copy of their SOC 3 report?

Because a SOC 3 report is a general use report, it can be freely distributed, and as mentioned above, some technology providers will use these reports as a marketing tool. If you are considering several different technology providers, their SOC 3 report may be a good place to start your research, especially if it’s available on their website.

Data Security in the Cloud Matters

It doesn’t matter where your firm is on the technology adoption curve – cloud technology is an integral part of the future of a successful, thriving accounting firm. And as your firm invests in cloud technologies that support firm growth, partners and managers need to understand how their technology providers protect firm and client data, including when and what type of SOC report to request.

SOC reporting is no longer a topic that only SOC Auditors need to understand – CPA firm managers and partners need to have a strong understanding of the security of the operating environment, application controls, data privacy and data security.

Consider whether the solutions and services your firm uses in its day-to-day operations adequately protect firm and client data. While your technology provider is in charge of the security of controls, availability, confidentiality, privacy and processing integrity of the systems that house your data, at the end of the day, it’s the partners who are usually responsible if controls over outsourced functions – including data warehousing – fail. 

Colleen Knuff - Senior Director, Product Management
Senior Director, Product Management
Colleen is a Certified Internal Auditor (CIA), Chartered Public Accountant (CPA), Certified Information Systems Auditor (CISA), and is certified in Risk Management Assurance (CRMA).
Back To Top