We always try to update our CPA students on upcoming CPA exam changes. System and Organization Controls (SOC) are important because many companies use third party service providers to process some accounting transactions. For example, think about the huge number of Fortune 500 companies that use a payroll service provider. SOC reports refer to auditing controls at the third party service organization. Basically, you want to have some verification of the controls in place at the organization. You also want information about the auditor’s assessment of these controls.
What’s in a SOC Report?
Sometimes the SOC report will have an audit of controls for financial reporting. Other times the SOC report will focus on technology matters. For example data security, confidentiality and privacy are all hot button issues these days.
SOC Report: BEC Exam
For the BEC section of the CPA exam, there are there areas you must understand:
- Identifying the appropriate SOC report to meet a user entity’s needs
- Reviewing SOC reports to obtain information such as period covered, modifications, and complementary user entity controls
- Using SOC reports to understand risks and other considerations with cloud computing and IT outsourcing arrangements
You will need to be able to know how to read a SOC Report (format is different from what you are used to) to pick out the most important pieces of info. You will also be required to know which SOC report is useful for which type of situation.
SOC Report: AUD Exam
For the AUD section of the CPA exam, you will now be tested on the following:
- Differences between SOC 1® and SOC 2® report types
- Understanding the impact of using a SOC 1® Type 2 report in an audit
- Using a SOC 1® Type 2 report to determine the nature, extent and timing of procedures to be performed in an audit
In conclusion, SOC Reports are an important part of the accounting profession going forward. More and more functions are being outsourced to specialist firms. Thus, it is important to understand how to assess and report on third party organizations.