Service Organization Control (SOC) Reporting Options and Information

1

 

“When users of a service organization’s services (user entities) outsource these tasks and functions, many of the risks of the service organization become risks of

the user entities.”- AICPA, Service Organization Controls, November, 2010

Overview

Service Organization Control (SOC) reports are designed to help service organizations meet specific user needs:

SOC 1 Report – Addresses internal controls over financial reporting

Performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization

Focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements

SOC 2 and SOC 3 Reports - Address controls at the service organization that typically relate to understanding effectiveness of controls around operations and technology compliance

SOC 2 Report - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy

SOC 3 Report - Trust Services Report – Opinion Letter Only

2

SOC 1 Reports

• Focus is on internal control over financial reporting.

• Similar to SAS 70, there are two types of SOC 1 reports:

Type 1: A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date

Type 2: A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period

• Use of subservice organizations - (use carve-out or inclusive methods)

• Is a restricted-use report – to user organizations and their auditors

3

SOC 2 & 3 Reporting Overview

• Addresses controls at the service organization that relate to operations and/or compliance and are based on Trust Services principles and criteria:

– Security

– Availability

– Processing integrity

– Confidentiality

– Privacy

• Report may cover one or more of the Trust Services Principles, as specified by management.

4

 

SOC 2 Reporting

• Similar to a SOC 1 report, there are two types of reports:

Type 1: report on management’s description of a service organization’s system and the suitability of the design of controls.

Type 2: report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls

• Many of the requirements for SOC 2 are the same as SOC 1:

– May be restricted in use

– Management’s assertion

– System description, risk assessment, etc

• A service organization may request that the service auditor’s report address additional subject matter that is not specifically covered by the Trust Service Principles (regulatory items such as HIPAA, GLBA, etc.)

5

 

SOC 3 Reporting

• Designed to meet the needs of users who want assurance on controls at a service organization but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report.

• Prepared using the AICPA/CICA Trust Services principles and criteria that include Security, Availability, Processing Integrity, Confidentiality, and Privacy. 

• The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls – The SOC 3 only provides an opinion letter (the report), and potentially a SysTrust Seal (for unqualified opinions only).

• Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a seal.

6

Trust Principles

• Security: The system is protected against unauthorized access (both physical and logical).

• Availability: The system is available for operation and use as committed or agreed.

• Processing Integrity: System processing is complete, accurate, timely, and authorized.

• Confidentiality: Information designated as confidential is protected as committed or agreed.

• Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA. 

Reminder: A report (audit) may cover one or more of the Trust Services Principles, as specified by management.

7

Organization of Trust Principles

Each of the Trust Services Principles is organized into four areas, and each with its own set of criteria:

• Policies. The entity has defined and documented its policies relevant to the particular principle.

• Communications. The entity has communicated its defined policies to authorized users.

• Procedures. The entity uses procedures to achieve its objectives in accordance with its defined policies.

• Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies.

8

Policies (3)

Communications (5)

Procedures (14)

Monitoring (3)

SECURITY AVAILABILITYPROCESSING

INTEGRITYCONFIDENTIALITY

Policies (3)

Communications (5)

Procedures (17)

Monitoring (3)

Policies (3)

Communications (5)

Procedures (21)

Monitoring (3)

Policies (3)

Communications (5)

Procedures (21)

Monitoring (3)

Organization of Trust Principles

There is much commonality between each of the Trust Principle Areas, such that examining one area, under one principle often

covers the similar examination of the others. Starting in December 2014 the standards combine these redundant criteria.

25 Criteria 28 Criteria 32 Criteria 32 Criteria

9

Generally Accepted Privacy Principles (GAPP)

Policies and Communications

Privacy Policies (3)

Procedures and Controls (11)

Notice

Policies and Communications

(2)

Procedures and Controls (3)

Choice and Consent

Policies and Communications

(3)

Procedures and Controls (4)

Collection

Policies and Communications

(3)

Procedures and Controls (4)

Use, Retention and Disposal

Policies and Communications

(2)

Procedures and Controls (3)

Access

Policies and Communications

(2)

Procedures and Controls (6)

Disclosure to Third Parties

Policies and Communications

(3)

Procedures and Controls (4)

Security for Privacy

Policies and Communications

(2)

Procedures and Controls (7)

Quality

Policies and Communications

(2)

Procedures and Controls (2)

Monitoring and Enforcement

Policies and Communications

(2)

Procedures and Controls (5)

Generally Accepted Privacy Principles have a number of unique areas and criteria within each.

10

 

SOC 1 SOC 2 SOC 3Purpose: Reports on controls related to Financial Statement audits (ICFR)

Purpose: Typically reports on controls related to compliance or operations

Purpose: Reports on controls related to compliance or operations

Trust Services Principles & Criteria*

SSAE 16 – Service Auditor Guidance

AT 101 AT 101

Restricted Use Report(Type I or II report)

Generally a Restricted Use Report(Type I or II report)

General Use Report(with a public seal)

Description of the service organization’s system. CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls. A type 2 report includes a description of the CPA firm’s tests of controls and results

Description of the service organization’s system. CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls. A type 2 report includes a description of the CPA firm’s tests of controls and results

An unaudited system description used to delineate the boundaries of the system CPA’s opinion on whether the entity maintained effective controls over its systems.

Does not contain a description of the CPA firm’s tests of controls and results (Opinion letter only)

Summary of New Standards & Options

11

 

Readiness Assessment Service Approach

12

• Review relevant client agreements/contracts and determine which Trust Service Principles covered in the SOC Report(s).

• Perform a readiness assessment covering the design effectiveness of control activities supporting TSP criteria selected.

• Review Company’s policies and procedures documentation to identify internal controls and identify gaps.

• Meet with management to develop remediation plan and next steps

• Perform high-level testing to determine operating effectiveness of controls.

• Report areas that are not operating effectively and develop plan to remediate control deficiencies.

• (Optional) Perform SOC 2, Type 1 design testing and issue an opinion letter and report.

 

Formal SOC Reporting Service Approach

13

• Testing Phase – Schedule fieldwork visits to company offices (3 to 5 days on-sight)

• Interim Testing - Perform the initial assessments, walkthroughs and effectiveness testing. Testing team meets with key control owners to gain an understanding of your control environment and request documentation used to assess the operating effectiveness of controls.

• Roll-forward Testing - Perform effectiveness testing just prior to end of reporting period. Testing team requests documentation used to assess the period end operating effectiveness of your controls.

• Reporting Phase - Engagement team assembles the report and completes final reviews to issue our opinion and formal report.