SSAE16 – SOC 1-2-3 - Service Organization Control (SOC)

 

Name of the programme: Service Organization Control (SOC)
Governing of the standard: AICPA Attestation Standards
Accreditation Body/Bodies: State licensing bodies

Scope:
SOC 1: Controls relevant to user entities’ internal control over financial reporting
SOC2 2: AT Section 101, Attest Engagements (AICPA, Professional Standards)
SOC3:  Controls relevant to security, availability, confidentiality, and processing integrity

 

Cloud-relevance: Not cloud specific. Cloud relevance is provided through the use of Cloud Security Alliance Cloud Control Matrix (See STAR Attestation and the following reference) .
Type of certifiable organisation: SaaS, PaaS, IaaS
Type of trust models applicable: Independent 3rd party assurance.
Is the certification proprietary or open: Report is restricted to use of management of the service organization and other specified parties. If prospective user entities are intended users of the report, the prospective user entities should have sufficient knowledge and understanding of the nature of services provided by the service organization; how the service organization’s system interacts with user entities, subservice organizations, and other parties; internal control and its limitations; complementary user-entity controls and how they interact with related controls at the service organization and subservice organization to meet the applicable trust services criteria; the applicable trust services criteria; and the risks that may threaten the achievement of the applicable trust services criteria and how controls address those risks.
Programme, status (operational, in development): Operational

 

For over 20 years, Certified Public Accountants have performed specialized audits of information technology (IT) internal controls at service organizations. During this time, a report by a CPA firm has become the standard for reporting on internal controls at a service organization as required by the U.S. Government, Security and Exchange Commission (SEC), the financial services industry, and standard contract terms with countless service organization users. One of the main reasons for this wide adoption has been that the professional standards that underpin these CPA reports provide customers with a basis for relying on the reports’ conclusions. The objective of these service organization reports (SOC) has been to provide the customers of service organizations, and the auditors of those customers, assurance over the effective operation of IT controls designed to address IT risk to information processing. To provide the framework for CPAs to examine controls and to help management understand the related risks, the American Institute of Certified Public Accountants (AICPA) established three Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC 3 reports).

 

SOC 1

SOC 1 engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization. SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. Use of a SOC 1 report is restricted to existing user entities (not potential customers). There are two types of SOC 1 reports:

  • Type 1 – A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  • Type 2 – A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

 

SOC 2

Recognizing customers’ need for assurance extended beyond financial objectives, the AICPA in collaboration with Canadian Institute of Chartered Accountants (CPA Canada) first formulated the Trust Services Principles and Criteria (TSPC) in 2002 to assist in brokering a trust-relationship between the vastly increasing IT service- and data processing industry and its customers. The TSPC provides a framework for a CPA to report on the design and operating effectiveness of Security, Confidentiality, Availability, Privacy and Processing Integrity controls.

SOC 2 engagements use the predefined criteria in the TSPC, as well as the requirements and guidance in AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards, vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a type 1 or type 2 report may be issued. The report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests. SOC 2 reports specifically address one or more of the following five key system attributes:

  • Security - The system is protected against unauthorized access (both physical and logical).
  • Availability - The system is available for operation and use as committed or agreed.
  • Processing integrity - System processing is complete, accurate, timely and authorized.
  • Confidentiality - Information designated as confidential is protected as committed or agreed.
  • Privacy - Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

Additionally, the scope of the SOC 2 report can address other criteria related to HIPAA, e-Prescribing, FISMA and other IT (security) requirements.

Today, with the rise of cloud computing, the demand for reporting by CPA firms on controls related to security, confidentiality, and availability has seen a resurgence and large cloud service providers (CSP) have, or are in the process of, providing their customers with SOC 2 reports to address this demand.

In a position paper released February 2013, the CSA stated that “for most cloud providers, a type 2 SOC 2 attestation examination conducted in accordance with AT section 101 of the AICPA attestation standards is likely to meet the assurance and reporting needs of the majority of users of cloud services, when the criteria for the engagement are supplemented by the criteria in the CSA Cloud Controls Matrix,” [3] a framework CSA provides for assessing the overall security risk of a cloud provider.

“The cloud can create great efficiencies for businesses, but it also introduces challenges and complexities for those businesses and their stakeholders who rely on the information’s integrity, security, and privacy,” said Susan Coffey, CPA, CGMA, the AICPA’s senior vice president–Public Practice & Global Alliances, in a news release. “We’re delighted that the Cloud Security Alliance has given its stamp of approval to Service Organization Control Reports as a mechanism to meet this reporting challenge.”

 

SOC 3

SOC 3 engagements also use the predefined criteria in the TSPC that are used in SOC 2 engagements. The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). It also permits the service organization to use the SOC 3 seal on its website.

SOC 1  SM Reports

Relevant Professional Standards: AT Section 801, Reporting on Controls at a Service Organization (AICPA, Professional Standards)
Intended users of report: Management of the service organization, user entities and auditors of user entities’ financial statements

SOC 2 SM Reports

Relevant Professional Standards: AT Section 101, Attest Engagements (AICPA, Professional Standards)
Intended users of report: Management of the service organization and other specified parties who have sufficient knowledge and understanding of the following:

  • Management of the service organization and other specified parties who have sufficient knowledge and understanding of the following:
  • The nature of the services provided by the service organization.
  • How the service organization’s system interacts with user entities, subservice organizations, and other parties.
  • Internal controls and its limitations.
  • Complementary user-entity control and how they interact with related control at the service organization to meet the applicable trust services criteria.
  • The applicable trust services criteria.
  • The risks that may threaten the achievement of the applicable trust services criteria and how control address those risks.
SOC 3  SM Reports

Relevant Professional Standards: AT Section 101, Attest Engagements (AICPA, Professional Standards)
Intended users of report: Anyone