Skip To Main Content
Colleagues discussing new plan with financial graph data on office table with laptop and digital tablet

Assurance beyond the financial statements: Reports on system and organization controls

When the term "audit" is mentioned, what comes to mind for most is the historical financial statement audit. But CPAs can provide assurance on many other types of information.

There are many drivers impacting requests for assurance engagements. For example, service organizations may receive requests from customers for assurance on several fronts, including assurance about their systems’ controls over financial reporting and controls related to users’ data and systems integrity. Alternatively, customers, investors and other stakeholders of all types and sizes of organizations concerned about cybersecurity may be looking to understand how an entity mitigates cybersecurity risk.

CPAs can help

CPAs can prepare assurance reports that provide users with the information needed to assess and address the risks associated with the services provided by an entity. The Canadian Standards on Assurance Engagements (CSAE) enable practitioners to perform a broad range of assurance engagements on a wide variety of subject matters other than historical financial statements. Using the CSAE, CPAs can provide system and organization controls (SOC) reports.

SOC reports are internal control reports, which independent CPAs provide, on the services a service organization provides, or on the controls in place at an entity. These reports:

  • are useful for evaluating the effectiveness of controls related to the services performed by a service organization
  • are appropriate for understanding how the service organization maintains oversight over third parties that provide services to customers
  • help reduce compliance burden by providing one report that addresses the shared needs of multiple users
  • enhance the ability to obtain and retain customers

CPA Canada provides guidance for practitioners in a variety of SOC offerings, including:

SOC 1® - Reporting on Controls at a Service Organization

These reports are specifically designed to address controls at a service organization that are relevant to the user entities’ financial statements. A SOC 1 report is intended solely for the information and use of existing user entities (for example, existing customers of the service organization), their financial statement auditors, and management of the service organization. They enable user auditors to perform risk assessment procedures and obtain audit evidence about whether controls at the service organization are operating effectively. Use of these reports is restricted to management of the service organization, user entities, and user auditors.

SOC 2® - Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (includes SOC 3® - SOC for Service Organizations: Trust Services Criteria for General Use Report)

These reports address controls relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information these systems process. They provide a level of detail sufficient to address the user’s vendor risk management needs and are restricted to specified parties with sufficient knowledge and understanding of the service organization’s system and the nature of services it provides. Use of these reports generally is restricted to service organization management, user entities of the system, business partners, CPAs providing services to user entities and business partners, and regulators. Like SOC 2, SOC 3 reports address controls relevant to security, availability, processing integrity, confidential and privacy. However, they do not provide the same level of detail. Therefore, they are considered general use reports and can be freely distributed.

SOC for Cybersecurity

These reports provide information about the effectiveness of an organization’s cybersecurity risk management program, including the controls designed, implemented and operated to mitigate threats against the entity’s sensitive information and systems. They can be for either general use or restricted to specific users.

Keep the conversation going

Are you receiving requests for SOC engagements, or other internal control reports? Had you heard about the new SOC for Cybersecurity engagement? What resources would help you, as a practitioner, to sell or perform these engagements?

Post a comment below or email me directly.

Conversations about Audit Quality is designed to create an exchange of ideas on global audit quality developments and issues and their impact in Canada.

Don’t miss out! Get in-depth analysis and insight on current audit and assurance issues delivered straight to your inbox. Sign up for our Audit Quality blog by checking Audit Quality Blog under My Subscriptions in your profile. SUBSCRIBE NOW


The views and opinions expressed in this article are those of the author and do not necessarily reflect that of CPA Canada.