Nearly all the companies we have the opportunity to work with– community banks, non-profit organizations, government entities, associations, construction companies, heath care, etc.–outsource some component of their IT system to a Service Organization. This outsourcing arrangement allows companies to reduce capital and personnel expenses, and be more flexible with their technology dollars. However, when your sensitive data is sitting somewhere outside the reach of your own physical and logical control, concerns arise about the security and availability of your information.
The American Institute of Certified Public Accountants (AICPA) has developed a framework that allows qualified CPAs to work with these outsourcing companies to prepare a report and give an opinion on their internal controls. The reports are called Service Organization Control (SOC) Reports and they provide information to your business and your accountants about the internal controls at the Service Organization. Over the next several newsletters, I will describe what SOC reports are and why your company should consider requesting a SOC report from your vendor. If you are an outsourcing provider, I’ll also discuss why it could be valuable for your company to consider having a SOC audit performed.
SOC Reports are the result of attestation engagements designed to provide a user organization (your company) and their auditors with assurance over the internal controls at a service organization (your vendor). Three different reporting options are available.
SOC 1 reports result from an engagement under Statement on Standards for Attestation Engagements, SSAE 16 – Reporting on Controls at a Service Organization. SSAE 16 examines internal controls at a service organization that impact a user entity’s controls over financial reporting. This report is used only by auditors of user organizations and the management of user entities. SSAE 16 requires the same level of evidence and assurance expected under the former SAS 70 service auditor engagement. It essentially fills the role of a SAS 70 report as it was originally intended.
SOC 2 reports provide detail on controls at a service organization covering security, availability, processing integrity, confidentiality or privacy. Its use is generally restricted to certain users who, among other things, have some knowledge of the nature of the services that the service organization provides. The SOC 2 report can offer greater assurance to customers and stakeholders about internal controls that go beyond financial reporting controls.
SOC 3 reports are Trust Service examination reports. They address the same subject areas as a SOC 2 report, but in a shortened version (about one page, in fact) that can be used in a service organization’s promotional efforts and on its website. SOC 3 reports can serve as a marketing tool, with potential customers for instance, to show the organization has appropriate controls in place to mitigate risks on the nonfinancial subject matters.
Our analysis of these reports in the coming articles will focus on the SOC 1 and SOC 2 reports because they appear to be the most prevalent in the industry. SOC reports are full of detailed information in the form of a narrative (in CPA parlance, The Description of the Service Organization’s System, or the Description) that includes many things about the service organization such as the structure of management, risk mitigation methods, how technology and security decisions are made, and even technical details about how their technology is laid out. You can learn a lot of information about how your data is handled by the Service Organization. Doing so helps your company spend your hard earned resources wisely, and provides insight into how your data is protected.
Much more information about SOC reports is available from YHB’s Risk Advisory Services team, from aicpa.org, or through your CPA. SOC reports are quickly becoming a valuable resource and another tool for business owners and managers to determine how their data is protected and backed up.