In an effort to focus on core competencies, reduce costs incurred and increase efficiency, organizations today are increasingly outsourcing business processes, data transactions, IT & network systems and other support services. Further, there has been an ever-growing emphasis on governance, risk and compliance with the result that user organizations are seeking to get assurance on the effectiveness of internal controls at the service organizations. Traditionally, organizations relied on Statement on Auditing Standards No. 70 (SAS 70) reports to get an assurance on the internal controls of a service organization. However, the SAS 70 report primarily focuses on financial reporting controls and not on other areas such as security and system availability.
In June 2011, the SAS 70 report was replaced by the Service Organization Control (SOC) reports – SOC 1, SOC 2 and SOC 3 reports. The SOC 2/SOC 3 reports are prepared in accordance with Statements on Standards for Attestation’s 16 (SSAE 16) AT Section 101 and based upon the Trust Services Principles (TSP), as opposed to SOC 1 reports that are prepared in accordance with SSAE 16 focusing on the internal controls over financial reporting (ICFR).
SOC Report Principles
SOC 1 is fundamentally similar to a SAS 70 report. It reports on controls at a service organization relevant to user organizations’ internal control over financial reporting (ICFR). Service organizations are required to provide a description of the systems and define the controls relevant for the user organizations’ financial reporting. Though the report may cover some IT general controls, there is no specific focus on security, privacy or availability in a SOC 1 report.
SOC 2 and SOC 3 reports are based on the Trust Services Principles developed by American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA). The Trust Services principles are built around four areas of Policies, Communication, Procedures and Monitoring and address controls relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. A service provider is not required to report on all the above principles and can limit the review only to those that are relevant to the outsourced service being performed.
SOC Report Types
The SOC reports can be Type I or Type II. A Type I report typically contains descriptions of the service organization’s systems and a point in time or as on date design effectiveness of the controls.
A Type II report contains descriptions of the service organization’s systems and period of time design and operating effectiveness of the controls. The period of time is usually a 12 month period; however, it may also cover a shorter period, such as 6 months.
SOC Report Structure
The SOC 1 and SOC 2 reporting structure is similar in most parts to a SAS 70 report. A SOC 3 report is less detailed in terms of the testing performed by the auditor. One of the key differences between a SOC 2 and SOC 3 reports is that the SOC 2 report provides a detailed description of tests of controls and the testing results and the auditor’s opinion of the service organization’s system description, whereas, the SOC 3 report is a short report on whether the trust principles are met. It does not have details of the auditor’s test procedures, results or opinion.
SOC 1/SOC 2 report sections:
- Auditor’s Opinion
- Management Assertion
- System Description
- Control Objectives and Activities (SOC 1)/ Trust Service Principles and Criteria (SOC 2)
- Test Procedures
- Testing results
Applicability of SOC reports
It is important for user and service organizations to understand which report to obtain based on the type of services being outsourced and regulatory or user entity requirements. Where the services are clearly financial in nature such as processing payroll, healthcare and transactions, SOC 1 reports would be requested. Where the services are more technical in nature and the focus is on addressing security, availability or privacy such as Cloud service providers, Data Center collocations etc SOC 2 reports are more applicable. However, it is important to note that a cloud based ERP service may need to provide a SOC 1 report because it provides financial services, as well as a SOC 2/SOC 3 reports to address key cloud service aspects such as security and availability. SOC 2 and SOC 3 reports are based on the same fundamental criteria. However, a SOC 3 report is a less detailed version of the SOC 2 report that can be made publicly available to anyone. It is most often used as marketing material.
Comparison – SOC 1, SOC 2, SOC3
The table below provides a brief comparison of the three SOC reports.