By Kara Gallinger, CPA, Manager, and Jason Schaller, Information Security Manager, CISSP, CISA, CRISC, CCNA Security
Service organizations receive requests from customers for assurance on systems’ controls over financial reporting. In addition, they get requests for reports that help customers understand the measures that are in place to protect the privacy and confidentially of user data, as well as the security, availability and processing integrity of systems. Service Organization Control (SOC) engagements have become a standard approach to examining, assessing and reporting on these controls.
This white paper focuses on the different control reporting options available and provides guidance to help organizations determine which report is appropriate for their needs.
The past several years have seen rapid growth in the number of businesses outsourcing various functions to service organizations. User entities submitting personal or confidential customer information to service organizations for processing or storage have experienced similar growth. Over time, many user organizations began requesting assurances about controls over this data that mitigate risks beyond traditional financial reporting risks. The former standard, SAS 70, was designed only to assist CPAs in reporting on controls at service organization that affect user entities’ financial statements. SAS 70 was not intended to report on controls that affect the privacy of customer data; however, for lack of a better option, it was improperly used as the framework for such assessments. Because of the confusion and misuse of SAS 70, the AICPA replaced it with the Service Organization Control (SOC) framework. The SOC framework has three different classifications of engagements to fit the needs of different service organizations.
Service Organization Controls Report 1 (SOC 1)
A SOC 1 Report results from an engagement under a new Statement on Standards for Attestation Engagements, SSAE 16 – Reporting on Controls at a Service Organization. This report focuses on controls over financial reporting at a service organization. There are two types of report options: Type 1 and Type 2. The Type 1 Report focuses on describing a service organization’s system and on the appropriateness of the design of its controls to achieve the related control. A Type 2 Report contains the same opinions as a Type 1 Report but adds an opinion on the operating effectiveness of the controls. These reports are intended for use by service organization managers, user entities, and user financial statement auditors.
SSAE 16 requires the same level of evidence and assurance expected under the former SAS 70 service auditor engagement. It essentially fills the role of a SAS 70 report as it was originally intended.
Organizations that commonly issue a SOC 1 Report include payroll processing, medical claims processing, human resources, investment managers, fund administrators, document management and loan processors.
Service Organization Controls Report 2 (SOC 2)
The SOC 2 Report covers controls beyond financial reporting. The SOC 2 Report looks at a service organization’s controls relevant to the security, availability, or processing integrity of the organization’s system or the privacy or confidentiality of the information the system processes, as well as validating them against unauthorized physical and virtual access. A SOC 2 Report is helpful to an organization because it reports on the accuracy of management’s description of the service organization’s system and the appropriateness of the controls in place.
Similar to SOC 1, SOC 2 has both Type 1 and Type 2 Reports. A SOC 2 Type 2 Report includes the service auditor’s description of tests performed and related test results.
The SOC 2 Report is generally restricted to use by management, regulators and others who understand the service organization and its controls. A Type 2 Report is also useful for service organizations with customers who require assurance that the organization is functioning securely and within the parameters of its governance process. These customers will have Non-Disclosure Agreements in place prior to disclosure of the SOC 2.
Service organizations such as cloud services providers, third-party processing facilities, managed services providers, hosting facilities, organizations with large data centers, and organizations that already have a SOC 1 Report but need to provide additional assurance beyond traditional financial reporting commonly request SOC 2 engagements.
Service Organization Controls Report 3 (SOC 3)
The SOC 3 Report is a trust service examination report. SOC 3 Reports address the same subject matter as SOC 2 Reports, but in a much more condensed way. They do not include a detailed description of the system’s controls nor do they include the specific tests performed by the auditor and the accompanying results. The advantage of a SOC 3 Report is that its distribution is not restricted. Organizations can use this report as a marketing tool to demonstrate that the organization has appropriate controls in place to mitigate risks on the nonfinancial subject matter. The same organizations that would be candidates for the SOC 2 Report are candidates for SOC 3.
With continued advancements in technology and increased use of outsourcing, SOC Reports are becoming a necessity when providing services to another organization. A SOC Report demonstrates that the organization’s controls are designed and operating effectively to mitigate the risk associated with outsourced processes.