Office of Acquisition and Logistics (OAL)
Acquisition Policy Flash! 18-22
Service Organization Controls (SOC) Audits and Reports for certain Critical Services
Purpose: The purpose of this Acquisition Flash is to provide the VA Acquisition Workforce language that may be edited and used in requirements documents for certain services critical enough to warrant SOC audits and reports.
Effective Date: August 10, 2018.
Background: VA may engage external parties to perform critical operational processes such as accounting and payroll processing, information and systems security services, health care claims processing and digitization, etc. These external parties are referred to as service organizations. VA management retains responsibility for the performance of processes outsourced to service organizations and will monitor the service organizations’ internal controls. The extent of VA’s oversight of service organizations’ controls depends on the nature of the contract or agreement.
The American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification, provides the standard for auditing and reporting on service organization controls.
VA management should provide increased oversight of a service organization when the service organization’s activity is significant to VA’s financial statements. Accordingly, VA should obtain SOC reports for any outsourced function that is significant to the specific department/office operations and the department/office should have monitoring controls over the review of those reports including implementing compensating controls in the event of control failures noted in those reports. Obtaining and monitoring SSAE-18 reports is a way to limit VA’s risk if the Vendor’s own lack of controls over financial operation and information security may lead to substantial misrepresentation of VA’s financial information, impairment of security controls or breach of privacy data.
If a service organization’s activity is significant to VA’s financial statements, requiring a Service Organization Controls (SOC) 1 Type 2 audit and report may be warranted.
If a service organization’s activity related to information systems (including information security and privacy data controls) could seriously jeopardize VA’s ability to achieve a substantial mission objective, requiring a SOC 2 Type 2 audit and report may be warranted. Examples include services such as the ability to access electronic health records or ability to pay VA employees in a timely way, etc.
The Attachment contains additional information and sample/draft language for requirements documents.
Applicability: This notification is directed to the VA acquisition workforce.
Action Required: When developing contract requirements for critically important services, review the attached file to determine if SOC audits and reports should be required from the contractor. If appropriate, edit the sample/draft wording and include in solicitation documents to require audits and SOC 1 and/or SOC 2 Reports (as appropriate), using the SSAE 18 standard.
Additional Information: Direct any questions or comments on this particular topic to Office of Internal Controls via email to icpmo@va.gov.
External Links Disclaimer
This page may contain links to pages and/or documents outside the Department of Veterans Affairs Domain. These are annotated as shown below. We hope your visit was informative.
U.S. Federal/Military/State Government Sites — You will leave the Department of Veterans Affairs web site by accessing links annotated with this graphic.
External Links Disclaimer
This page may contain links to pages and/or documents outside the Department of Veterans Affairs Domain. These are annotated as shown below. We hope your visit was informative.
Non-Government Sites — You will leave the Department of Veterans Affairs web site by accessing links annotated with this graphic. VA does not endorse and is not responsible for the content of the linked web site.