In a SOC 1 or SOC 2 report, organizations may wish to communicate to report users information that is beyond the scope of the engagement. Such information may be prepared by the service organization’s management or by another party. For example, an organization may want to include other information, such as the following, in their SOC report:
- Future plans for new systems or system conversions
- Other services provided by the service organization that are not included in the scope of the engagement
- Qualitative information, such as marketing claims, that may not be objectively measurable
- Responses from management to deviations identified by the service auditor, such as information about causative factors for deviations identified in the service auditor’s tests of controls, the controls that mitigate the effect of the deviations, corrective actions taken, and expected future plans to correct controls
- A report comparing the service organization’s performance to its commitments to user entities per service-level agreements or a newsletter containing information about events at the service organization
- A description of a subsequent event that does not affect the functions and processing performed by the service organization during the period covered by the service auditor’s report but that may be of interest to report users
- Information relating to compliance with a process or control framework, such as a mapping of controls to the framework, when management has not identified compliance with such a framework as a principal service commitment or system requirement.
Generally, such other information is presented in a separate section of the report (Section 5) entitled “Other Information Provided by the Service Organization.” Information in this section is not covered by the service auditor’s report; however, the service auditor is required to perform the procedures outlined below on the other information.
Paragraph .58 of AT-C section 205 states that the service auditor should read the other information to identify material inconsistencies, if any, with the subject matter, assertion, or report. If, upon reading the other information, the service auditor believes that either of the following applies, the service auditor should discuss the matter with service organization management and take further action as appropriate:
- There are material inconsistencies between the other information and the description of the service organization’s system, management’s assertion, or the service auditor’s report.
- A material misstatement of fact exists in the other information, the description of the service organization’s system, management’s assertion, or the service auditor’s report.
Thanks for reading!