Should My Organization’s Services Be Audited?

By Angela Appleby, CPA posted Sep 22,2014 13:38


Angela Appleby, CPA, Audit Partner, EKS&H LLP

Does your organization perform services for your clients?  Are your operational personnel responding to client questionnaires on your company’s IT policies or other processes? If so, you may be considered a “service organization” and may benefit from an independent review of your process controls. This type of audit can assess things like security, confidentiality, and privacy, among others.

A service organization is defined by the American Institute of Certified Public Accountants (“AICPA”) as “the entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system.” In other words, if outsourcing to your company extends your customer’s internal control environment, you should be considering an audit.

The most common industries and types of organizations that can benefit from these services include:

Financial Institutions:

Technology Companies:

Other Businesses:

  • Trust departments of banks and insurance companies
  • Custodians for investment companies
  • Mortgage servicers or depository institutions that service loans for others
  • Title companies


  • Data centers
  • Software as a service (SaaS) providers
  • Infrastructure as a service (IaaS) providers
  • Platform as a service (PaaS) providers
  • Internet service providers (ISPs) and web hosting service providers
  • Cloud computing providers
  • Managed security
  • Enterprise IT outsourcing services
  • Health care claims management and processing
  • Regional transmission organizations (RTOs)
  • Customer support
  • Call centers
  • Sales force automation
  • Printing companies
  • Marketing
  • Payroll processing
  • Benefit plan management and administration


AICPA Control Report History

In 2011, the AICPA established three new reporting options for service organizations. These reports, commonly referred to as Service Organization Control (“SOC”) Reports, replace the retired and superseded Statement of Auditing Standards (“SAS”) No. 70. The original intention of SAS No. 70 reports was to address  the risks over processes  performed at a service organization that relate to internal controls over financial reporting (“ICFR”). However, the SAS No. 70 reports were misused to address other areas at a service organization regarding processes not relevant to ICFR.  As the need arose to support an organization’s due diligence and governance processes over these other services, the AICPA introduced the SOC 2SM and SOC 3SM reports to cover security, availability, processing integrity, confidentiality, and privacy based on the AICPA Trust Services Principles.

What you need to know about SOC Reports

SOC 1SM reports are applicable to any organization whose services affect their ICFR.

Such service organizations include, but are not limited to, trust departments of banks and insurance companies, custodians for investment companies, mortgage servicers or depository institutions that service loans for others, data centers, health care claims management and processing, software as a service providers (“SaaS”), internet service providers and web hosting service providers, and regional transmission organizations. 

SOC 2SM reports are applicable to almost any service provider that serves as an extension of its customer’s internal control environment as it relates to security, availability, processing integrity, confidentiality, or privacy.

Such service organizations include, but are not limited to, companies that provide cloud computing, managed security, customer support, sales force automation, health care claims management and processing, SaaS, data centers, and enterprise IT outsourcing services.

There are many instances when a service organization’s services could be applicable to both a SOC 1SM report and a SOC 2SM report. Although the reports cannot be combined, separate engagements can be performed to provide these service organizations with the reports that they need. When determining the report that is appropriate for your organization, consider the following:

  1. What is driving the need for this report?
  2. If customers are requesting it, what will they be using the report for?
  3. Are your customers primarily concerned about operational aspects of your outsourced services or do your services relate to your customers’ financial statements?

SOC 3SM reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2SM report.  Although SOC 3SM reports are shorter than SOC 2SM reports, the level of work required is the same or may exceed that of a SOC 2SM report. This is primarily because if the service organization outsources any of its services that are significant to meeting the applicable Trust Services Principles and Criteria, each subservice organization must also be audited and considered within the scope of the report.

The table below can help you determine the report that is right for your organization.


AICPA Standard

Who needs these reports?




AT 801


Management of the service organization, user entities, and auditors of the user entities’ financial statements

Audit of financial statements

Controls relevant to user entities’ ICFR


AT 101

Management of the service organization and other specified parties who have sufficient knowledge and understanding

Oversight and due diligence

Controls relevant to security, availability, processing integrity, confidentiality, or privacy


AT 101

Any users with the need for confidence in service organization’s controls

Marketing “confidence without the detail”

Seal and easy to read reports on controls


The SOC 1SM reports are based on AT 801, Reporting on Controls at a Service Organization, Statement on Standards for Attestation Engagements No. 16 (SSAE 16) Reporting on Controls at a Service Organization. The SOC 2SM and SOC 3SM reports are reported under AT 101, Attest Engagements, as AT 801 is limited to controls related to ICFR.

Be sure to consult with your service auditors in making the determination over which report is right for your business, as it is easy not always completely clear.

Angela Appleby, CPA, is an audit partner with EKS&H LLLP and leads the Risk Advisory Services group. For more information about these services contact Angela at or 303-740-9400.