Companies in today’s business environment, more than ever, are demanding independent 3rd party assurance from their business partners and service providers related to:
- the security and availability of products and services provided;
- how the service provider protects the confidentiality of their data; and/or
- the nature of controls that are in place to ensure their financial transactions are processed completely, accurately and timely.
For more than nearly three decades, the accounting profession has provided a standards-based framework for service providers to provide independent assurance to their customers who outsourced key business processes. More recently, the focus is changing as the consumers of outsourced services, as part of their vendor management programs, are demanding SOC examination reports from their service providers. Whatever the market driver is, it is important for companies, before they seek to provide or request a SOC examination, to understand the different types of SOC reports that are available and how changes to the SOC reporting standards have changed in the last couple of years. The following highlights important concepts and recent changes to 3rd party assurance reporting products.
SOC 1 vs. SOC 2, vs SOC 3, vs SOC for Cybersecurity
A SOC 1 is the new name for what historically was known as a SAS 70 report. These reports are designed to provide the independent auditors of a service organization’s customers, information related to the complete, accurate and timely processing of financial information or transactions.
SOC 2 examinations were first established in 2010 with the release of SSAE 16 (Statement on Standards for Attestation Engagements). In 2016, SSAE 18 was released which included changes to how the independent auditor conducts the SOC examination, and changes to structure and content of the system description and auditors report. These changes, along with some additional engagement workpaper documentation items, were required to be implemented no later than December 2018.
SOC 3 examinations are an optional extension that allows a company to publish a summarized version of a completed SOC 2 examination report on their website or other public platforms.
SOC for Cybersecurity is a new offering that allows a company to obtain independent assurance over its high-level information security program. Additional SOC reporting engagements such as “vendor management” are currently in development by the AICPA.
Each of these different types of SOC reports has unique purposes, specific intended users and levels of detail presented.
Type 1 vs Type 2
After selecting the type of SOC engagement needed, it is important to understand the differences between the types of reports that can be issued. A Type 1 report contains a description of the system and a listing of control objectives and related controls as of a point in time. The independent auditor provides an opinion that the description is fairly presented and that controls are suitably designed and implemented. This report is typically issued as the first SOC report an organization issues. Like a Type 1, a Type 2 report contains a description of the system and listing of control Objectives and related controls, plus the results of the auditor’s test of the operating effectiveness of the controls over a period of time (typically 12 months). The Type 2 report is the most frequently requested.
Changes in SOC 2 Reporting Standards
Comprehensive changes have been made with the rollout of SSAE18. SOC now stands for System & Organization Controls. Trust Services Principles are now referred to as Categories. The entire Trust Services framework has been updated and realigned with COSO.
Many companies are faced with providing independent assurance related to processes and controls based on a variety of other control frameworks such as PCI, ISO, NIST or HIPAA/HiTrust. There are at least three approaches within the Service Organization Control Framework that a company can take with respect to reporting “compliance” with these additional frameworks. It is also important to understand how these specialized control frameworks map into the SOC Trust Services framework. For some categories, there is a high level of redundancy, but others have little or no overlap.
To learn more about how to plan and execute a SOC strategy, and how a SOC can benefit your business, we invite you to join us for part three of our 2019 CyberTrends webinar series taking place on Wednesday, August 14, 2019. For more details and registration, click here.