System and Organizational Controls (SOC) reports are engagements which help service organizations that provide services to other entities build trust and confidence in the service performed and controls related to the services through an assurance report, under CSAE 3416, by an independent CPA.
While the term SOC stems from the American Institute of Certified Public Accountants (AICPA), the term is widely used in reference to ‘reporting on controls at a service organization’ which is what the Canadian and International standards use to describe the engagements.
What is CSAE 3416?
Canadian Standard on Assurance Engagements (CSAE) 3416 – Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting paragraph 1 notes that the standard “addresses reasonable assurance attestation engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.”
What other standards are relevant for consideration?
CSAE 3416 complements Canadian Auditing Standard (CAS) 402 – Audit Considerations Relating to an Entity Using a Service Organization in that reports prepared in accordance with CSAE 3416 may provide appropriate evidence under CAS 402.
Practitioners are also required to comply with CSAE 3000 – Attestation Engagements Other Than Audits or Reviews of Historical Financial Information. CSAE 3416 supplements CSAE 3000 and expands on how CSAE 3000 is to be applied in an assurance engagement to report on controls at a service organization. CSAE 3416 does not replace CSAE 3000.
Do I need to be licensed to issue a CSAE 3416 Report?
As noted above, paragraph 1 of the standard states that a CSAE 3416 engagement is a reasonable assurance attestation engagement. Further the CPA Act Section 47(1)(b) states that “performing any other assurance engagement and issuing an assurance report in accordance with the standards of professional practice published by the Chartered Professional Accountants of Canada” is considered practicing of professional accounting. As a result, practitioners must ensure that they are licensed at the Audit category of public practice licensing in order to execute an engagement under CSAE 3416.
Before accepting a CSAE 3416 engagement what should be considered?
Given the specialized nature of these types of engagements, practitioners considering a CSAE 3416 engagement should assess whether they or their firm possess the professional competence to properly conduct such an engagement. Also, given the assurance nature of these engagements, practitioners should ensure they comply with relevant independence standards (Rule 204 of the CPABC Code of Professional Conduct).
What are Type 1 and Type 2 Reports?
There are different types of CSAE 3416 reports each designed to help service organizations meet specific user needs.
CSAE 3416 reports are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements. There are two types of reports for these engagements:
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
What are SOC 1®, SOC 2® and SOC 3® Reports?
As noted above, SOC is an AICPA term, and similarly SOC 1, 2, and 3 report references are from the US Statement on Standards for Attestation Engagements (SSAE) 16. A SOC 1 report is largely similar to a CSAE 3416 report. Canadian standards currently do not specifically include reports similar to SOC 2 or SOC 3, however, an engagement under CSAE 3000 could accomplish the same.
SOC 2 - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in: oversight of the organization; vendor management programs; internal corporate governance and risk management processes; and regulatory oversight. Similar to SOC 1 there are two types of reports for these engagements.
SOC 3 - Trust Services Criteria for General Use Report
These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report.