Acquisition Policy Flash! 18-22 - Office of Acquisition and Logistics (OAL)
Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.
Attention A T users. To access the combo box on this page please perform the following steps. 1. Press the alt key and then the down arrow. 2. Use the up and down arrows to navigate this combo box. 3. Press enter on the item you wish to view. This will take you to the page listed.
Veterans Crisis Line Badge
My healthevet badge

Acquisition Policy Flash! 18-22

What's Changed?

Service Organization Controls (SOC) Audits and Reports for certain Critical Services

Purpose:  The purpose of this Acquisition Flash is to provide the VA Acquisition Workforce language that may be edited and used in requirements documents for certain services critical enough to warrant SOC audits and reports.

Effective Date:  August 10, 2018.

Background:  VA may engage external parties to perform critical operational processes such as accounting and payroll processing, information and systems security services, health care claims processing and digitization, etc.  These external parties are referred to as service organizations.  VA management retains responsibility for the performance of processes outsourced to service organizations and will monitor the service organizations’ internal controls.  The extent of VA’s oversight of service organizations’ controls depends on the nature of the contract or agreement.

The American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification, provides the standard for auditing and reporting on service organization controls.

VA management should provide increased oversight of a service organization when the service organization’s activity is significant to VA’s financial statements.  Accordingly, VA should obtain SOC reports for any outsourced function that is significant to the specific department/office operations and the department/office should have monitoring controls over the review of those reports including implementing compensating controls in the event of control failures noted in those reports.  Obtaining and monitoring SSAE-18 reports is a way to limit VA’s risk if the Vendor’s own lack of controls over financial operation and information security may lead to substantial misrepresentation of VA’s financial information, impairment of security controls or breach of privacy data.

If a service organization’s activity is significant to VA’s financial statements, requiring a Service Organization Controls (SOC) 1 Type 2 audit and report may be warranted.

If a service organization’s activity related to information systems (including information security and privacy data controls) could seriously jeopardize VA’s ability to achieve a substantial mission objective, requiring a SOC 2 Type 2 audit and report may be warranted.  Examples include services such as the ability to access electronic health records or ability to pay VA employees in a timely way, etc.

The Attachment contains additional information and sample/draft language for requirements documents.

Applicability:  This notification is directed to the VA acquisition workforce.

Action Required:  When developing contract requirements for critically important services, review the attached file to determine if SOC audits and reports should be required from the contractor.  If appropriate, edit the sample/draft wording and include in solicitation documents to require audits and SOC 1 and/or SOC 2 Reports (as appropriate), using the SSAE 18 standard.

Additional Information:  Direct any questions or comments on this particular topic to Office of Internal Controls via email to