Service Organization Control (SOC) reports
One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor's Report. There are two types of Service Auditor's Reports: Type I and Type II.
A Type I report describes the service organization's description of controls at a specific point in time (e.g. June 30, 2012). A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period (e.g. January 1, 2012 to June 30, 2012). The contents of each type of report is described in the following table:
-
Report Contents
-
Type I Report
-
Type II Report
- 1. Independent service auditor's report (i.e. opinion)
- Included
- Included
- 2. Service organization's description of controls.
- Included
- Included
- 3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests
- Optional
- Included
- 4. Other information provided by the service organization (e.g. glossary of terms).
- Optional
- Included
In a Type I report, the service auditor will express an opinion on (1) whether the service organization's description of its controls presents fairly, in all material respects, the relevant aspects of the service organization's controls that had been placed in operation as of a specific date, and (2) whether the controls were suitably designed to achieve specified control objectives.
In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and (3) whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.