Assurance Reports for Internal Controls over More Than Just Financial Reporting
The increasing popularity of companies outsourcing business processes to service organizations, in particular, cloud data storage and-computing providers, Internet retailers and health care claims processors, has given rise to heightened concerns surrounding the confidentiality, privacy, security, availability and processing integrity of the data being placed in the hands of a third-party service organization. Today’s marketplace is clamoring for assurance that service organizations have effective controls for all data — not just financial data.
The Establishment of Service Organization Control (SOC) Reports
In an effort to address the evolving needs of the marketplace, and help senior management and their auditors at a user entity to understand the risks associated with outsourcing to a service organization, three Service Organization Control (SOC) reporting options were established by the American Institute of Certified Public Accountants (AICPA) in 2011—SOC 1, SOC 2 and SOC 3 reports.
The SOC reporting standards provide an appropriate framework for CPAs to examine and opine on internal controls and for a service organization to provide clarity and greater transparency to its customers (and/or customers’ auditors) on both its financial reporting controls and its controls relevant to its IT system attributes, such as security, availability, processing integrity, confidentiality and privacy. These standards were designed in response to meteoric growth in outsourcing and are aimed at satisfying the marketplace’s need for assurances from service organizations that perform critical outsourcing functions.
Overview of SOC Reports
SOC 1 Reports
The AICPA’s SOC 1 report is the brand name for reports prepared in accordance with the SSAE 18 standard (Statement on Standards for Attestation Engagements No. 18). SOC 1 reports are designed to report on controls at a service organization relevant to a user entity’s internal control over financial reporting. They are a “restricted use report” as they are intended solely for use by user entities and their auditors to plan and perform an audit or integrated audit of the user entities' financial statements. A SOC 1 report should not be distributed to prospective customers as marketing collateral.
How SOC 1 Reports Differ From the Old SAS 70 Reports
The key differences between a SOC 1 report (prepared in accordance with the SSAE 18 standard) and an old SAS 70 report (the previous guidance) are as follows:
- Written Assertion by Management – Management is required to provide a written assertion in the SOC 1 report supporting their system's description. This assertion must include the suitable criteria used for management’s assessment.
- Subservice Organizations – If a service organization uses a subservice organization and uses the inclusive reporting method, the subservice organization is also required to provide a written assertion similar to management’s assertion report as well as a letter or representation.
- More Inclusive Description of the Service Organization’s System – The SSAE 18 standard calls for a more comprehensive description of a service organization’s system. In addition to the controls description, it must also include: a description of the services provided and classes of transaction processed; a description of the procedures by which services are provided, including transaction initiation, authorization, recording, processing and correction; a description of the process for capturing and addressing other significant events and conditions; and a description of the process for preparing reports and providing information to customers. It should also include other aspects of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) 2013 Internal Control – Integrated Framework relevant to the user entities and any changes that occur during the audit period.
- Clear Identification of Risks that Threaten the Achievement of Stated Control Objectives – Within a SOC 1 report, service organizations must identify the risks that threaten the achievement of the control objectives and evaluate whether the described controls would provide reasonable assurance that those risks would not prevent the control objectives from being achieved.
Two Types of SOC 1 Reports
The SOC 1 report is available in two types:
- Type 1 Report. A SOC 1 – Type 1 report provides the service auditor’s opinion on whether management’s description of the service organization’s systems is fairly presented and provides an opinion on the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 Report. A SOC 1 – Type 2 report provides the service auditor’s opinion on whether management’s description of the service organization’s systems is fairly presented and provides an opinion on the suitability of the design of the controls to achieve the related control objectives included in the description throughout a specified period. A Type 2 report also includes the service auditor’s opinion on the operating effectiveness of the controls along with a description and the results of the tests performed in order to form that opinion.
SOC 2 Reports
A SOC 2 report addresses the need to provide information and assurance on non-financial controls. It is designed to report on controls surrounding the principles of security, availability and/or processing integrity of the systems used by service organizations to process user entities' data. It can also be used to address the need for assurance on the confidentiality and privacy of the information processed by these systems.
SOC 2 reports contain the same report elements as SOC 1 reports but are prepared in accordance with the AT Section 101 attest standard rather than the SSAE 18 standard. Furthermore, the control objectives in a SOC 2 report are based on the AICPA and Canadian Institute of Chartered Accountants (CICA)’s Trust Service Principles and Criteria, previously used by the WebTrust and SysTrust certifications. Like SOC 1 reports, SOC 2 reports are available in a Type 1 and a Type 2 report.
Like a SOC 1 report, a SOC 2 report is a restricted use report. It is designed for management of the service organization, management of the user entities and customers of the service organization as well as suppliers, business partners and others associated with the service organization. The intent of a SOC 2 report is to provide an understanding of the details of the processing and controls at a service organization with the goal of instilling confidence and gaining trust in that service organization’s systems.
Entities seeking to outsource business processes to service organizations such as cloud computing providers, SaaS providers, Internet retailers, health care claims processors and others stand to benefit from the information contained in a SOC 2 report. User management has the opportunity with this report to review the information they need to help them understand and evaluate the risks associated with an outsourced service being offered by a particular service organization. A SOC 2 report plays an important role for user entities in the oversight of a service organization, as well as an entity’s vendor management programs, internal corporate governance and risk processes, and regulatory oversight efforts.
The Five Trust Services Principles
The five Trust Services Principles are defined by the AICPA as follows:
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, accurate, timely and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued jointly by AICPA and CICA.
The Security principle often needs less explanation than the others. Common controls include physical access restrictions, network protection, complex password requirements and formalized hiring and termination procedures. It would be very unusual for a service provider not to include the security principle in their report as adequate security is often a necessary foundation in ensuring the effectiveness of controls related to any of the other principles.
The Availability principle relates strictly to your customers’ ability to access a particular system. Curiously, availability does not imply that the particular system is functioning as desired – that’s assessed as Processing Integrity. Common controls supporting availability include measures designed to protect against environmental failures (such as power failures, fire or heat), preventative maintenance procedures and system resiliency. Availability is often included within SOC 2 reports for data center or hosting providers, or for application providers maintaining their own production systems.
Processing Integrity Principle
The Processing Integrity principle is concerned with whether a particular system functions as intended. Often dependent upon the nature of the organization’s particular system, controls included here could be designed to: prevent or detect inconsistent or incomplete transactions; protect data from tampering or corruption through encryption, control totals and message hashes; and/or ensure positive acknowledgment from customers prior to processing. E-commerce or financial services firms often benefit from including the Processing Integrity principle in their SOC 2 reports.
Confidentiality and Privacy Principles
The Confidentiality and Privacy principles are both concerned with controlling the access, use and disclosure of information. Whereas Privacy relates to personal information, often as defined by relevant regulations, Confidentiality relates to the organization’s own commitments or agreements with its customers and might include information regarding transaction details, intellectual property or even customer lists. Common controls often include detailed security-related systems and procedures, monitoring protocols and a generally higher level of formalized communication practices. Service providers dealing with consumer transactions, financial services or sales support often include one or both of these principles in their reports, depending upon the nature of the information being processed or collected by their systems.
SOC 3 Reports
A SOC 3 report is essentially a scaled down version of a SOC 2 report. Like a SOC 2 report, a SOC 3 report is prepared in accordance with the AT Section 101 attest standard and uses the predefined criteria in Trust Service Principles and Criteria.
The primary difference between a SOC 2 and a SOC 3 report is that a SOC 3 report does not detail the specific controls that a company has, nor does it provide any testing information that was performed on those controls. It merely provides the auditor’s opinion on whether the service organization maintains effective controls over its systems.
SOC 3 reports are intended for general use — they can be freely distributed and publicly promoted with the SOC 3 seal on a service organization’s website. These factors make SOC 3 reports the ideal marketing tool to demonstrate to current and prospective customers that a service organization has the appropriate controls in place to mitigate risks related to the security, availability, privacy and confidentiality of customer information being processed. In the case of Internet retailers and affiliate companies who sell goods and services on behalf of the Internet retailer and use the Internet retailer’s transaction processing systems to do so, the affiliate company can utilize the Internet retailer’s SOC 3 report to address the concerns of current and prospective customers with regard to the security and privacy of their information.
The Real Value of a SOC Report
Some companies believe that once a SOC 1, SOC 2 or SOC 3 report is issued and in their customer’s hands, the box can be checked and the report can be filed away in a drawer to be forgotten. This perception couldn’t be further from the truth. In reality, these reports are often closely scrutinized by customers and their auditors. Bear in mind that a service provider’s customers are typically the ones requesting the report, and their reasons for doing so extend far beyond the need to mark this item off of their “to-do” list. For service providers, completion of a SOC report actually represents an important opportunity with potentially far-reaching impact on current and future business.
An accurate and comprehensive SOC 1, 2 or 3 report can effectively demonstrate the proactive measures your company has taken to protect your customers’ data. It can also instill trust among the users of the report and satisfy the inquiries of your customers’ auditors. Your internal controls are by their nature hidden from the outside world. As long as they are functioning correctly, you won’t find many opportunities to demonstrate their effectiveness. Yet, your customers rely on the strength of these controls, and providing proof of their dependability can set you apart from the competition and secure your position in the marketplace.
When an auditor requests a SOC report from a company’s service provider, they do so to answer pressing questions. The report gives them access to specific information that only this process can answer. Auditors tend to perform a detailed review of the report within a very short time frame, often just a few days. Their palpable interest is demonstrated not only by the immediacy with which they digest the results, but also by detailed comments they prepare in response to the report.
Determining the Most Appropriate SOC Report for Your Organization
Determining which SOC report makes the most sense for your organization begins with taking a look at the internal control assurance needs of your stakeholders (senior management, customers, prospects and business partners). If their needs relate to internal control over financial reporting then the answer is simple — you will need a SOC 1 report.
If your stakeholders’ assurance needs have more to do with compliance and operational controls, then either a SOC 2 or a SOC 3 report would be most appropriate. Deciding between a SOC 2 and a SOC 3 report will come down to understanding the level of detail your audience requires — do they need the “details” behind your systems and processes or will a summary report and the SOC 3 seal on your website be sufficient?