Any economic activity is subject to measurement by the accounting process and CPA study reveals that no area of commerce is overlooked. Even outsourced services are part of an accounting assessment. In fact, a special type of reporting about outsourcing arrangements has recently received new attention.
Service Organization Control (SOC) reports provide information about an outside organization and permit users to evaluate the risks associated with using the outsourced service. Since mention of these reports is a narrow part of CPA review material, accountants typically require some additional education about SOC. Previous standards for SOC reports were replaced in 2011 by new rules that CPAs are still learning to use.
Guidance for Service Organization Control is divided into three main categories. SOC 1 refers to the effectiveness of controls at a service organization that impact internal financial reporting of client companies. SOC 2 and SOC 3 relate to controls at the service organization concerning information privacy, security, confidentiality, and processing. Accountants who expect to provide audit services for companies that include outsourced arrangements with service organizations must gain a deep level of understanding about such engagements.
A general knowledge of audit and financial reporting from study for CPA exam preparation provides only the foundation for more advanced SOC learning. Accountants who want to set themselves in the vanguard of these engagements should familiarize themselves with new SOC reports and why the AICPA created them.
The rapid growth in outsourcing of various functions by businesses creates risks. Measuring and evaluating risk is, of course, a principal objective of accounting work. After all, essential accounting standards covered in courses for CPA licensing serve the purpose of rendering reports that are useful for risk assessment. In the past, service organizations provided only routine functions to a business, such as payroll processing. More outsourcing has occurred in an effort to streamline operations and reduce costs of supervising back office functions. For example, document management with cloud computing providers has exploded in popularity.
Outsourcing situations are convenient, but create control issues for the users of these services. The old accounting standard was designed to assist accountants in reporting on the controls at service organizations that impacted the financial statements of outsource users. But, new factors that impact the soundness of a company’s condition are not directly related to financial statements. This includes such areas as controls over privacy of customer data at outsource service organizations. The AICPA implemented a new framework to address these elements. Like all changes to accounting standards, this demonstrates how initial CPA exam study doesn’t end the training an accountant needs to maintain up-to-date expertise.
IRS Circular 230 Disclosure
Pursuant to the requirements of the Internal Revenue Service Circular 230, we inform you that, to the extent any advice relating to a Federal tax issue is contained in this communication, including in any attachments, it was not written or intended to be used, and cannot be used, for the purpose of (a) avoiding any tax related penalties that may be imposed on you or any other person under the Internal Revenue Code, or (b) promoting, marketing or recommending to another person any transaction or matter addressed in this communication.