SOC2: Expanding Service Organization Controls Reporting

Editor's Note: In this lengthy piece from The Journal of Accountancy, Mr. Halterman explains that the AICPA's SSAE16-SOC2 assurance standard is the right one for Cloud Computing service providers. He writes: "SOC 2 engagements are designed to meet the needs of user entities and other stakeholders by providing service organizations with criteria for describing their systems, criteria for evaluating the suitability of design and operating effectiveness of the service organization’s controls, and an independent CPA’s opinion on the description of the system and the design and operating effectiveness of the service organization’s controls. Examples of service organizations include cloud computing providers, payroll processors, information security service providers and information service providers."

Several prominent internal control breakdowns and increased focus on internal control by regulators, boards of directors and others charged with governance have led to increased demand for attestation reports on controls over subject matter other than financial reporting provided by an independent CPA. Neither Statement on Auditing Standards (SAS) no. 70, Service Organizations, nor the new standard that replaced SAS no. 70, Statement on Standards for Attestation Engagements (SSAE) no. 16, Reporting on Controls at a Service Organization, is intended to address controls relevant to these risks.

In response to this demand, the AICPA has developed the Service Organization Control (SOC) reporting framework. The framework is designed to help service organizations, their customers and CPAs understand the types of examination reports a CPA can issue related to service organization controls. The AICPA also has published new guidance for attestation reports to help meet this growing demand for internal control reporting.

The SOC (commonly pronounced “sock”) framework includes three reporting options. This article focuses on SOC 2 reports and engagements and provides some additional information on SOC 3 engagements.

SOC 1 engagements are performed in accordance with SSAE no. 16 and focus solely on controls at a service organization that are likely to be relevant to an audit of a customer’s financial statements.

SOC 2 engagements are performed in accordance with AT section 101, Attest Engagements, using the guidance provided in the Guide Reporting on Controls at a Service Organization Relevant to Security Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) (the SOC 2 Guide).

A SOC 2 engagement is designed to provide:

• Organizations that outsource tasks and functions a mechanism for improving governance and oversight of service providers.

• Service organizations the ability to communicate the suitability of the design and operating effectiveness of their controls through a widely accepted reporting format.

• CPAs an opportunity to expand their attestation services through a new report that meets a marketplace need.

 

SOC 2 reports provide users with:

(1) A detailed description of a service organization’s system, including controls designed to achieve the criteria for one or more of the Trust Services principles. A Trust Services report for service organizations is performed under AT section 101 using TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Trust Services is defined as: A set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs around controls at the service organization that are relevant to one or more of the Trust Services principles of security, availability, processing integrity, confidentiality or privacy. Trust Services principles and criteria are issued by the AICPA and Canadian Institute of Chartered Accountants (CICA).

(2) An assertion by management regarding the fairness of the description, the suitability of the design of the controls and, for some engagements, the operating effectiveness of the controls; and

(3) A CPA’s opinion on the fairness of the description, the suitability of the design of the controls and, for some engagements, the operating effectiveness of the controls and description of the tests performed by the CPA and the results of those tests. The fairness of a service organization’s system is measured using system description criteria set forth in the SOC 2 Guide while the suitability of design and operating effectiveness of controls related to security, availability, processing integrity, confidentiality or privacy are assessed using criteria in TSP 100.

SOC 3 reports provide users with (1) an assertion by management that it maintained effective controls to meet the Trust Services criteria, (2) a short description of the service organization’s system, and (3) a CPA’s examination report on either management’s assertion or on the effectiveness of controls that meet the Trust Services criteria. The fairness of management’s assertion assertion is assessed using criteria in TSP 100.

It is important to note that a system is more than just computer hardware and software. It is the policies and procedures used by service organizations to provide services to its customers. A system includes physical environment and hardware components of a system, application and operating system software, people, procedures and data. As it relates to privacy, a system includes all aspects of the life cycle of personal information, including how it is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA.

 

OUTSOURCING AND ITS EFFECTS

Many companies function more efficiently and profitably by outsourcing tasks or entire functions to other organizations (service organizations) that have the personnel, expertise, equipment or technology to accomplish these tasks. As part of these services, a service organization will often collect, process, transmit, store, organize, maintain and dispose of information for its customers. Examples of service organizations include cloud computing providers, payroll processors, information security service providers and information service providers.

Although a company outsources tasks to a service organization, company management retains its responsibility for the outsourced tasks and the manner in which they are performed and is held accountable by the company’s stakeholders, including its board of directors, shareholders, customers, employees, business partners and regulators. Many of these responsibilities can be grouped using the Trust Services principles, which address security, availability, processing integrity of the system used to provide the outsourced tasks, and the confidentiality and privacy of information used by the system. As part of its corporate governance, management of an organization needs to address these responsibilities by:

• Developing procedures to identify risks resulting from its outsourcing relationships.

• Assessing those risks.

• Identifying controls at the service organizations that address the risks.

• Evaluating the suitability of the design and operating effectiveness of the service organization’s controls.

• Implementing and maintaining controls to address risks not addressed by controls at the service organization.

 

OBTAINING INFORMATION ABOUT A SERVICE ORGANIZATION’S SYSTEM AND ITS CONTROLS

In some cases, an organization’s management can evaluate the quality of operations of a service organization and the suitability of the design and operating effectiveness of the service organization’s controls by establishing monitoring procedures that enable it to prevent—or detect—and correct processing errors and control exceptions by a service organization. To illustrate, as it relates to processing integrity, the company initiates and records the information it submits to the service organization for processing and is able to compare the results of processing with its own records. For example, an organization evaluates sales literature fulfillment services performed by a service organization by comparing the fulfillment statistics provided by the service organization with the printing and mailing costs of the literature.

In other cases, the company must rely either completely or partially on the effective operation of the service organization’s controls. For example, to meet its regulatory obligations and privacy commitments to its patients, a health care provider that outsources the analysis of patient service outcomes must rely on the privacy controls at the service organization. In such a circumstance, the health care provider has a limited ability to monitor the effectiveness of the service organization’s privacy controls.

A company may be able to get information about controls at a service organization directly from the service organization. Often this information comes from the service organization in the form of “Frequently Asked Questions” or as part of the system description. A service organization may also have a list of controls that it has implemented. However, this information may have limitations, such as:

• There are no defined criteria for what constitutes an adequate description of a system and its controls.

• In describing its systems, service organizations do not use a consistent set of criteria for measuring whether a service organization’s controls are suitably designed and operating effectively.

• Except for controls likely to be relevant to user entities’ financial statement assertions, service organizations have not had a consistent and well-recognized method of providing an independent CPA’s attestation report on its system description or the suitability of design and operating effectiveness of its controls.

SOC 2 engagements are designed to meet the needs of user entities and other stakeholders by providing service organizations with criteria for describing their systems, criteria for evaluating the suitability of design and operating effectiveness of the service organization’s controls, and an independent CPA’s opinion on the description of the system and the design and operating effectiveness of the service organization’s controls.

You can read more from The Journal of Accountancy here.