Assurance Reports for More Than Just Internal Controls over Financial Reporting
The increasing popularity of companies outsourcing business processes to service organizations, in particular, cloud-computing providers, Internet retailers and health care claims processors, has given rise to heightened concerns surrounding the confidentiality, privacy, security, availability and processing integrity of the data being placed in the hands of a third party service organization.
Today’s marketplace is clamoring for assurance that service organizations have effective controls for all data — not just financial data. Due in part to a lack of clear alternatives, service organizations are attempting to address these concerns through the issuance of SAS 70 reports. Unfortunately, this has resulted in a growing misuse of the SAS 70 standard. The SAS 70 standard is designed to communicate service provider information and their auditor’s attestation as it relates to their internal controls over financial reporting but it is increasingly being used beyond its scope to include reporting on non-financial controls as well.
The Establishment of Service Organization Control (SOC) Reports
In an effort to address the evolving needs of the marketplace and help senior management and their auditors at a user entity to understand the risks associated with outsourcing to a service organization, the AICPA (American Institute of Certified Public Accountants) has established three Service Organization Control (SOC) reporting options — SOC 1, SOC 2 and SOC 3 reports.
The SOC reporting standards provide an appropriate framework for CPAs to examine and opine on internal controls and for service organizations to provide clarity and greater transparency to its customers (and/or customers’ auditors) on both its financial reporting controls as well as its controls relevant to their IT system attributes such as security, availability, processing integrity, confidentiality and privacy. These new standards were designed in response to the meteoric growth in outsourcing and are aimed at satisfying the marketplace’s need for assurances from service organizations that are performing critical outsourcing functions.
Overview of SOC 1 Reports
The AICPA’s SOC 1 report is the brand name for reports prepared in accordance with the recently released SSAE 16 standard (Statement on Standards for Attestation Engagements). SOC 1 reports are designed to report on controls at a service organization relevant to a user entity’s internal control over financial reporting. They are a “restricted use report” as they are intended solely for use by user entities and their auditors to plan and perform an audit or integrated audit of the user entities' financial statements. A SOC 1 report should not be distributed to prospective customers as marketing collateral.
SSAE 16 and SOC 1 Reports to Replace SAS 70
SSAE 16, and hence SOC 1 reports, are set to replace the SAS 70 standard beginning June 15, 2011 (with early adoption permitted). SSAE 16 is based on the IAASB’s new International Standard on Assurance Engagements No. 3402 (ISAE 3402). The intent behind the replacement of SAS 70 with these two standards was two-fold: (1) to be more in line with international standards and existing attestation standards; and (2) to correct the misuse of the SAS 70 standard as a means to obtain assurance regarding compliance and operations.
If a service organization has obtained a SAS 70 report in the past and thus has detailed written descriptions of systems, services and controls, the transition to SSAE 16 and a SOC 1 report should be fairly straightforward and relatively painless. While there are several new and noteworthy requirements under SSAE 16 (see below), in the grand scheme of things, if your testing and monitoring processes are robust enough to support management’s assertions, then the effort to transition to the new standards will not be a daunting task.
How SOC 1 Reports Differ from SAS 70 Reports
The key differences between a SOC 1 report (prepared in accordance with the SSAE 16 standard) and a SAS 70 report are as follows.
-
Written Assertion by Management – Management will now be required to provide a written assertion in the SSAE 16 report supporting their system's description. This assertion must include the suitable criteria used for management’s assessment.
-
Subservice Organizations – If a service organization uses a subservice organization and uses the inclusive reporting method, the subservice organization is also required to provide a written assertion similar to management’s assertion report as well as a letter or representation.
-
More Inclusive Description of the Service Organization’s System – SSAE 16 calls for a more comprehensive description of a service organization’s system. In addition to the controls description, it must also include a description of the services provided and classes of transaction processed; a description of the procedures by which services are provided, including transaction initiation, authorization, recording, processing and correction; a description of the process for capturing and addressing other significant events and conditions; and a description of the process for preparing reports and providing information to customers. It should also include other aspects of the COSO2 internal control framework relevant to the user entities and any changes that occur during the audit period.
-
Clear Identification of Risks that Threaten the Achievement of Stated Control Objectives – In the SSAE 16 report, service organizations must identify the risks that threaten the achievement of the control objectives and evaluate if the described controls would provide reasonable assurance that those risks would not prevent the control objectives from being achieved.
Two Type of SOC 1 Reports
Like SAS 70 reports, the SOC 1 report is available in two types as outlined below.
A SOC 1 – Type 1 report provides the service auditor’s opinion on whether management’s description of the service organization’s systems is fairly presented and provides an opinion on the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
A SOC 1 – Type 2 report provides the service auditor’s opinion on whether management’s description of the service organization’s systems is fairly presented and provides an opinion on the suitability of the design of the controls to achieve the related control objectives included in the description throughout a specified period. A Type 2 report also includes the service auditor’s opinion on the operating effectiveness of the controls along with a description and the results of the tests performed in order to form that opinion.
Overview of SOC 2 Reports
The AICPA’s SOC 2 report is a new report that addresses the need to provide information and assurance on non-financial controls. It is designed to report on controls that are relevant to the security, availability and/or processing integrity of the systems used by service organizations to process user entities' data. It can also be used to address the need for assurance on the confidentiality and privacy of the information processed by these systems.
SOC 2 reports will contain the same report elements as SOC 1 reports but will be prepared in accordance with the AT Section 101 attest standard rather than the SSAE 16 standard. Furthermore, the control objectives in a SOC 2 report will be based on the AICPA and CICA’s Trust Service Principles and Criteria, previously used by the WebTrust and SysTrust certifications. Like SOC 1 reports, SOC 2 reports are available in a Type 1 and a Type 2 report.
SOC 2 reports are generally a restricted use report. They are designed for management of the service organization, management of the user entities and customers of the service organization as well as suppliers, business partners and others associated with the service organization. The intent of a SOC 2 report is to provide an understanding of the details of the processing and controls at a service organization with the goal of instilling confidence and gaining trust in that service organization’s systems.
Entities seeking to outsource business processes to service organizations such as cloud computing providers, SaaS providers, Internet retailers, health care claims processors and others stand to benefit from the information contained in a SOC 2 report. User management will now have the information they need to help them understand and evaluate the risks associated with an outsourced service being offered by a particular service organization. It is expected that SOC 2 reports will play an important role for user entities in the oversight of a service organization as well as an entity’s vendor management programs, internal corporate governance and risk processes and regulatory oversight efforts.
Overview of SOC 3 Reports
A SOC 3 report is essentially a scaled down version of a SOC 2 report. Like a SOC 2 report, a SOC 3 report is prepared in accordance with the AT Section 101 attest standard and uses the predefined criteria in Trust Service Principles and Criteria.
The primary difference between a SOC 2 and a SOC 3 report is that a SOC 3 report does not include a description of the service organization’s system nor does it contain any information on testing. It merely provides the auditor’s opinion on whether the service organization maintains effective controls over its systems.
SOC 3 reports are intended for general use — they can be freely distributed and can be publicly promoted with the AICPA SOC 3 seal on a service organization’s website. As such, this makes SOC 3 reports the ideal marketing tool to demonstrate to current and prospective customers that a service organization has the appropriate controls in place to mitigate risks related to the security, availability, privacy and confidentiality of customer information being processed. In the case of Internet retailers and affiliate companies who sell goods and services on behalf of the Internet retailer and use the Internet retailer’s transaction processing systems to do so, the affiliate company can utilize the Internet retailer’s SOC 3 report to address the concerns of current and prospective customers with regard to the security and privacy of their information.
Determining the Most Appropriate SOC Report for Your Organization
Determining which SOC report makes the most sense for your organization begins with taking a look at the internal control assurance needs of your stakeholders (senior management, customers, prospects and business partners). If their needs relate to internal control over financial reporting then the answer is simple — you will need a SOC 1 report.
If your stakeholders’ assurance needs have more to do with compliance and operational controls, then either a SOC 2 or a SOC 3 report would be most appropriate. Deciding between a SOC 2 and a SOC 3 report will come down to understanding the level of detail your audience requires — do they need the “details” behind your systems and processes or will a summary report and the SOC 3 seal on your website be sufficient?
Effective Dates for SOC Reports
The effective date for all SOC reports is June 15, 2011 (with early adoption permitted). With regard to SOC 2 and SOC 3 reports, further guidance is still expected from the AICPA in the form of a new guide, Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, that will address reporting on a service provider’s controls over subject matter other than financial reporting. Stay tuned…