In the last newsletter (and blog) we covered the use of the SSAE 16/SOC 1 report. The primary purpose of a SOC 1 report is to provide assurance to management of user organizations and their financial auditors (called user auditors) about the internal controls at the service organization. Reliance is placed on the SOC 1 report during the financial statement review of the user organization. This week we will discuss the background and purpose of SOC 2 reports.
The need for a separate assurance report on a service organization’s systems stems from needs that were not met under previous SAS 70 reporting standards. Companies have increased the frequency with which they outsource non-financial components of their system. As a result, there was confusion in industry about how to gain a comfort level over the systems held by the service provider. The response by the American Institute of Public Accountants (AICPA) was the creation of new Service Organization Control 2 (SOC 2) reports.
The foundation of the SOC 2 report is the AICPA’s Trust Services Principles and Criteria (TSPC). The Trust Services Principles and Criteria have been around for many years. Many readers of deTECH may be familiar with YHB’s SysTrust attestation engagement, which is based on the same TSPC. The TSPC includes up to five Principles, and any combination of these Principles can be included in the SOC 2 report.
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, accurate, timely, and authorized.
- Confidentiality – Information designated as confidential is protected as committed.
- Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA.
The above Principles are supported by a series of criteria that, if satisfactorily met, allow the service auditor to issue an unqualified opinion on that particular Principle.
One of the most common SOC 2 reports we examine are for data centers. Let’s continue with the example from the previous newsletter. ABC, Inc. has outsourced much of its network to a third party vendor, Network Vendor, Inc. (NVI). NVI provides rack space, network support, hardware support, and application support for ABC, Inc. NVI does not process financial transactions for ABC, but the services provided by NVI are critical to the success of ABC, Inc. Also, ABC, Inc. expects NVI to protect logical access to the network, physical access to the hardware and rack space, and recover any data during a disaster. Two questions must be asked: 1) How does ABC, Inc. obtain a level of assurance that its systems that are hosted by NVI are protected against unauthorized logical and physical access, and 2) How can NVI effectively communicate to ABC, Inc. and all its other customers that they have taken the necessary precautions for protecting their customer’s data? The answer to both of these questions is a SOC 2 report.
NVI should engage a qualified CPA firm to perform a SOC 2 attestation engagement and issue a SOC 2 report. In this scenario, the Trust Services Principles Criteria of Security and Availability should be selected because NVI’s customers want to ensure the systems provided by NVI will be secure and available as agreed to.
Another valuable benefit of the SOC 2 is its flexibility. The AICPA allows engagements called “SOC 2 Plus”, which allows a CPA to perform a SOC 2 attest engagement alongside another requirement. For example, health care business associates are required to comply with HIPPA. A CPA could perform a SOC 2 Plus HIPPA, and give an opinion on the TSPC and how they meet HIPPA requirements. Another option is SOC 2 for the Cloud, which includes cloud service providers.
The SOC 2 report, just like the SOC 1, is restricted to the management of the service provider (NVI), the management of the user organization (ABC, Inc.), and the user auditors. The opinion in a SOC 2 report covers TSPC and if the service provider met the TSPC criteria over a period of time.
So to summarize-SOC 2 reports provide assurance over any combination of the Trust Services Principles Criteria. This is more comprehensive than the SOC 1 report which only covers Control Objectives applicable to controls over financial reporting. Both are valuable reporting options that can demonstrate a service provider’s commitment and success of maintaining a strong internal control environment.