With so many accounting teams working remotely, cloud-based accounting software has become a vital tool for collaboration. Nearly 50 percent of accountants have
Even if an organization isn’t purchasing a new cloud-based accounting solution, SOC reports are still paramount to their internal controls, since software applications are continuously evolving. It’s important to make sure that any changes to the controls that vendors have in place are tested and well-documented in the SOC report. Changes in controls are inevitable, but the organization will want to ensure those changes are well-documented and tested because control failure can ultimately lead to errors or internal control deficiencies within a company’s financial statements.
With all that in mind, here’s a refresher on the types of SOC reports commonly issued for Software-as-a-Service products, how to understand them, and what to look for.
The basics
Developed by the American Institute of CPAs, a SOC report is an audit report issued by a CPA firm that presents an opinion on a service organization’s controls. SOC reports are important for evaluating SaaS providers because users have no control over or visibility into the code that makes the system work. A company’s customers, auditors and investors need to know that it is using software vendors with reliable controls in place. The SOC report demonstrates the reliability of controls over the services the vendor is providing to the company.
There are three different kinds of SOC reports, each with its own areas of focus and scope. For most accounting-focused SaaS products, a company is likely to receive a SOC 1 report. SOC 1 reports focus on a service organization’s controls over financial reporting.
There are two kinds of SOC 1 reports: Type 1 and Type 2. The SOC 1 Type 1 report is an assessment of an organization’s financial controls as of a specific date. The SOC 1 Type 2 report also covers a service organization’s internal controls over financial reporting, but the testing is performed over a period of time (such as six months or a year). Because it covers a period of time versus a point in time, the Type 2 report is more rigorous and contains more insight into the effectiveness of the vendor’s controls. For a company that is relying upon the controls at the service organization, this SOC 1 Type 2 report is preferable because it demonstrates that controls were operating effectively at the service organization for the entire period. This confidence allows many users to identify controls that are occurring at the service organization and document those controls within their entity’s internal control structure. This can result in cost-savings at the company if they are able to eliminate documenting/testing controls performed by an individual and instead rely on service organization controls that have already been tested within the SOC 1.
SOC 2 and SOC 3 reports focus on a service organization’s controls regarding security, availability, processing integrity, confidentiality or privacy. There are two types of SOC 2 reports: Type 1, which is an assessment of whether controls exist; and Type 2, an assessment of the effectiveness of the controls. The key difference between SOC 2 and SOC 3 reports is that SOC 3 reports are less detailed, are able to be distributed to a larger group and don’t include a description of the service auditor’s tests of controls and results.
For accounting and compliance-focused software, a SOC 1 Type 2 report is ideal because of its focus on controls over financial reporting for a period of time. However, SOC 2 or 3 reports may be sufficient for systems used for functions other than financial reporting, such as project management.
What to look for in an SOC report
Whether you’re receiving an SOC report as part of a new vendor assessment, or getting the latest report from your current provider, there are three important elements to look for in the report:
1. Who issued the report? To meet the AICPA’s criteria, SOC reports must be issued by a licensed CPA firm. To provide assurance that their report is impartial, the firm should be an auditor that is completely independent of the vendor. The firm should also have information technology expertise. A SOC report is an assessment centered on information security and internal controls, not a financial audit. Companies should check if a vendor’s SOC report was issued by a firm that holds certifications such as Certified Information Systems Auditor or Certified in Risk and Information Systems Control. These certifications, along with the CPA designation, demonstrate the level of knowledge needed to appropriately assess the vendor.
2. What is the auditor’s opinion? Independent audit reports will provide one of three types of audit opinions: unqualified, qualified, or adverse. In rare instances, an audit firm could issue a disclaimer and opinion.
Ideally, a vendor’s SOC report receives an unqualified opinion, which means the vendor meets or exceeds assessment criteria with no modification. There may be exceptions, but they aren’t material enough to warrant a qualified opinion. An unqualified opinion is consistent with a “clean” audit opinion.
A qualified opinion is issued in the event that the vendor does not meet all assessment criteria, but the issues found by the auditor aren’t considered to be severe. Those issues should be documented for review within the SOC report. In the case of a qualified opinion, these lapses are noteworthy but don’t equate to a material failure.
An adverse opinion is issued when a vendor materially failed one or more assessment criteria. And finally, a disclaimer of opinion is provided when the CPA firm doesn’t provide an opinion due to insufficient data.
3. What were the control objectives? For the purposes of a SOC report, control objectives are defined for a set of controls at a service organization. Control objectives are determined by the service organization and should align with the user’s needs for the functions performed by the software.
For example, a control objective may be controlled access: Does the vendor ensure that access to programs, systems, and data is restricted to authorized individuals? The vendor will work with the independent auditor to test control activities (such as password settings, user access levels, etc.) and assess whether they provide reasonable assurance that the vendor is effectively managing access to the system.
The vendor’s SOC report should contain a detailed breakdown of each control objective, the control activities that were tested, and the auditor’s assessment of their effectiveness. For end-users, it’s also important to assess any complementary user entity controls the software vendor expects the user organization to put in place in order for the service organization controls to be effective.
Other procedures to assess
Among other valuable reports, an agreed-upon procedures engagement is another layer of reporting and procedures to ask a vendor for when ensuring the value and compliance of a solution. An AUP engagement is performed in accordance with the AICPA rules. A qualified CPA performs specific procedures and reports the findings without providing an opinion or conclusion. Because the engagement party best understands its own needs, they agree to the procedures and acknowledge their appropriateness for the intended purpose of the engagement. Intended users assess the procedures and findings reported by the CPA and draw their own conclusions from the work performed.
The bottom line
Reviewing the SOC reports and various other procedures of potential vendors should be a standard part of any accounting software purchase process. And as so many are still working from home, it’s more important now than ever to confirm nothing within a vendor’s SOC report has failed in the control environment.
While changes to controls are fairly inevitable and perfectly OK to occur, service organizations must document all changes and check the new controls. As SaaS solutions become more and more central to today’s accounting departments, staying vigilant and ensuring vendors are proactively communicating and sharing their SOC reports, bridge letters, AUP engagements, and other relevant data further establishes their long-term reliability.