Last April, the AICPA announced that SAS 70 was going away, to be replaced by SSAE 16. Since that time, additional discussion and guidance has resulted in more fine-tuning of the standards. It turns out that the AICPA has done a lot more than just renumber and reorganize SAS 70. The Institute has created three new Service Organization Control (SOC) reports intended to provide a framework for CPAs to examine controls at a service organization.
SOC 1: SSAE 16 and The New SAS 70
SOC 1 reports will result from attestation engagements focused on controls at service organizations that are likely to be relevant to an audit of a user entity’s (customer’s) financial statements. These engagements will be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) 16. As with the old SAS 70, SOC 1 reports will be available as Type 1 or Type 2 reports. Type 1 reports present the auditors’ opinion regarding the accuracy and completeness of management’s description of the system or service as well as the suitability of the design of controls as of a specific date. A Type 2 SOC 1 report provides the auditors’ opinion as to the accuracy and completeness, the suitability of the design of controls, AND the operating effectiveness of the controls throughout a declared time period, generally between six months and one year.
SOC 1 reports are “restricted use” reports intended only for user entities (existing customers) and their auditors, not potential customers or the general public.
SOC 2 reports are based on AT section 101 of the AICPA professional standards. A SOC 2 report covers controls at a service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy. The criteria upon which these examinations will be based are contained in Trust Services Principles, Criteria and Illustrations (AICPA, Technical Practice Aids) established jointly by the AICPA and the Canadian Institute of Chartered Accountants (CICA). The criteria are organized into five key attributes or “principles”:
1) Security – the system is protected against unauthorized access (physical and logical).
2) Availability – the system is available for operation and use as committed or agreed.
3) Processing Integrity – system processing is complete, accurate, timely and authorized.
4) Confidentiality – information is classified and protected as committed or agreed.
5) Privacy – personal information is collected, used, retained, disclosed and disposed of as committed or agreed.
SOC 2 reports can be based on one or more of the principles listed above.
As with SSAE 16, a SOC 2 report can be issues as a Type 1 or as a Type 2. A Type 1 report presents the auditors opinion as to the accuracy and completeness of the system description as well as the design of the controls. A Type 2 report includes all aspects of a Type 1 report and also includes a description of the tests performed by the service auditor and the results of those tests. A SOC 2 report is also a restricted use report intended for existing customers and their auditors.
SOC 3 reports are also based on AT section 101 of the AICPA professional standards and follow the Trust Services Principles. The primary difference between a SOC 2 report and a SOC 3 report is that a SOC 3 report provides only the system description provided by management and the auditor’s opinion on whether the system achieved the trust services criteria. The SOC 3 report does not contain any details about the service auditor’s testing or the results of the testing. A SOC 3 report is a general use report, available to existing and potential customers as well as the general public.
If the service auditor believes that the service organization achieved the trust services criteria, the organization may then distribute the SOC 3 report to customers and may publicly display the SOC 3: SysTrust for Service Organizations seal. This seal is recognition that the organization’s controls meet the pre-established criteria established by the AICPA and CICA.
The new reporting standards for controls at service organizations have been developed in an attempt to provide alternatives to service organizations that will better match the type of report to the primary interests of its user organizations or customers. The use of pre-defined controls criteria for SOC 2 and SOC 3 reports will enable potential customers to have a greater level of assurance that the service providers carrying the SOC 3 seal have adequate controls in place to protect their information assets.
David Barton, CRISC, Principal, UHY LLP
David is a Principal and is the practice leader of the Technology Assurance and Advisory Services group at UHY Advisors, Inc. in Atlanta, GA. He is Certified in Risk and Information Systems Controls (CRISC) and received his Certified Information Systems Auditor (CISA) designation in 1988.
With over 25 years practical experience in information systems and technology risk and controls, he is an expert in identifying and reducing information technology risk throughout an organization.