Share this
Understanding SOC Reports with Lease Accounting Software
by Matt Waters, CPA on June 22, 2020
Understanding SOC Reports for User Clients
Any organization that relies on service providers for lease accounting software needs to ensure they’re protecting their user entities’ data and information systems. The way to ensure that is by reviewing and understanding the service provider’s System and Organization Controls (SOC) report, formerly called a Service Organization Control report.
What is a SOC Report?
Developed by the American Institute of Certified Public Accountants, SOC reports review the systematic controls of service organizations. The report details the effectiveness of an organization’s safeguards for protecting its users’ high-risk systems and data.
There are three different classifications of SOC reports: SOC 1, SOC 2, and SOC 3. A SOC 1 report assesses financial controls. SOC 2 and SOC 3 reports revolve around security and availability controls.
For all three categories of SOC reports, there are two types of reports. Type 1 covers the effectiveness of the design and operating controls at one point in time. Type 2 reviews the effectiveness of controls over a period of time, usually no less than six months and up to 18 months.
Is your lease accounting software secure?
If you have to ask ...
SOC 1
A service organization assesses the control objectives that are needed to protect clients’ financial data. The SOC 1 auditor assesses the controls that are in place and creates a report so user entities and their auditors can judge whether a service provider’s information technology controls, such as access and business process controls, are working effectively.
Service organizations are responsible for describing to the SOC auditor their services and the controls they have in place to identify and decrease risks to user clients. The auditor, an independent third-party CPA, is responsible for opining on the fairness of the presentation of the description of the service organization’s design and on the effectiveness of controls.
The first section of the SOC 1 report includes a description of each control activity the service organization has and the test the auditor applied to each control, as well as the results of each tested control. The second section states the control activities user entities are expected to implement.
What do accounting & admin software have in common?
They both need to be secure!
SOC 2
While SOC 1 reports revolve around protecting client financial data, SOC 2 reports address controls that are relevant to a service organization’s own operations. SOC 2 audits are designed to ascertain whether the service organization meets specified Trust Services Principles as defined by the American Institute of Certified Public Accountants.The principles focus on five areas:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
The AICPA explains the areas in the following ways:
Security refers to the protection of:
- Information during its collection or creation, use, processing, transmission, and storage
- And to systems that use electronic information to process, transmit or transfer, and store information to enable the entity to meet its objectives.
Availability refers to the accessibility of information used by the entity’s systems as well as the products or services provided to its customers.
Processing integrity is an applicable principle when business processes are completed by the service organization on behalf of the user entity. Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing.
Processing integrity is an applicable principle when business processes are completed by the service organization on behalf of the user entity. For example, a service organization that provides the full cycle of reviewing, approving, and paying of rent charges for a user entity should have processing integrity as an included principle.
This principle does not apply to a service organization that provides a software solution for user entities to perform these functions themselves.
Confidentiality addresses a service organization’s ability to protect information designated as confidential.
Privacy revolves around personal identifiable information that is collected, used, retained, disclosed, and disposed of to meet an entity’s objectives. Personal identifiable information is personal data that could be used to identify a person, such as their name, Social Security or driver’s license number, or home address. Service organizations, such as companies that provide software solutions that don’t process PII, have little reason to include the privacy principle in their audits.
Auditor’s Opinion
In both a SOC 1 and SOC 2 report, an auditor presents her opinion on the fairness of the service organization’s presentation of the description, and the suitability of the design and operating effectiveness of the controls to achieve their objectives based on the organization’s description of them. An auditor will present one of three types of opinions.
An Unqualified Opinion means the controls have been described fairly and accurately and operate effectively. A Qualified Opinion means the controls mainly adhere to the standards but fall short in some areas. An Adverse Opinion means the service organization failed in one or more standards. This is typically seen as a failing grade.
Happy auditor, happy life
The Importance of Including Lease Audit Details in Reports
SOC 3
Like the SOC 2 report, the SOC 3 is based on the Trust Services Principles. While both the SOC 1 and Soc 2 reports have a “Restricted Use” section, SOC 3 reports are created to be freely distributed and posted on company websites as a seal of approval, lasting for one full calendar year from the date of issue.
SOC 1 and SOC 2 reports are intended solely for the use of management of the service organization, its user entities and their auditors.
Share this
- ASC 842 (81)
- Lease Accounting Software (76)
- Accounting Teams (41)
- Lease Administration Software (25)
- Retail Tenants (15)
- Commercial Real Estate (12)
- Lease Management (11)
- Market Data and Analytics (7)
- Real Estate Teams (7)
- ESG (5)
- Success Stories (5)
- News and Media Coverage (4)
- Transaction Management Software (2)
- Customer Success (1)
- Office Tenants (1)
- December 2024 (2)
- November 2024 (2)
- October 2024 (4)
- September 2024 (2)
- August 2024 (5)
- July 2024 (3)
- June 2024 (3)
- May 2024 (4)
- April 2024 (1)
- February 2024 (1)
- December 2023 (4)
- November 2023 (6)
- October 2023 (4)
- September 2023 (2)
- August 2023 (2)
- July 2023 (3)
- May 2023 (2)
- March 2023 (1)
- February 2023 (3)
- January 2023 (1)
- December 2022 (3)
- November 2022 (4)
- October 2022 (4)
- September 2022 (1)
- August 2022 (4)
- June 2022 (1)
- May 2022 (4)
- April 2022 (8)
- March 2022 (3)
- February 2022 (1)
- January 2022 (2)
- November 2021 (2)
- October 2021 (2)
- September 2021 (3)
- August 2021 (15)
- July 2021 (3)
- June 2021 (1)
- May 2021 (1)
- April 2021 (3)
- March 2021 (1)
- January 2021 (1)
- December 2020 (3)
- November 2020 (1)
- October 2020 (2)
- September 2020 (2)
- August 2020 (3)
- July 2020 (2)
- June 2020 (3)
- May 2020 (1)
- April 2020 (1)
- March 2020 (1)
- February 2020 (1)
- December 2019 (1)
- October 2019 (1)
- September 2019 (2)
- August 2019 (3)
- July 2019 (2)
- April 2019 (69)
- October 2018 (1)
- August 2018 (1)
- July 2018 (1)
- June 2018 (1)
- May 2018 (1)
- April 2018 (2)
- March 2018 (3)
- February 2018 (2)
- December 2017 (1)
- August 2017 (3)
- June 2017 (2)
- May 2017 (2)
- April 2017 (1)
- March 2017 (2)
- January 2017 (2)
- November 2016 (2)
- July 2016 (1)
- June 2016 (1)
- July 2015 (1)
- March 2015 (1)
- June 2014 (1)
- April 2014 (11)
- October 2011 (1)
You May Also Like
These Related Stories