CPAs Expand Into SOC 2 After Death of SAS 70
- Written by T. Steel Rose, CPA
After SAS 70 audits were used improperly the AICPA replaced the standard with SSAE 16. While attempting to correct the problem, the AICPA produced three variations of SSAE 16 for service organizations. SOC 1, like SAS 70, is for financial internal controls. SOC 2 is for data security. SOC 3 is a general use report based on Trust Service Principles. It takes a little research to untangle the variations but it’s worthwhile to know where the reports fit to respond to client needs.
SSAE 16 (effective on June 15, 2011) is the attest standard for issuing SOC 1 reports. A SOC 1 report is the result of reviewing the internal controls of an organization that pertain to producing financial statements. This is where the improper use of SAS 70 took place. Companies who received SAS 70 reports stating that their internal controls were adequate to produce financial statements were using the report to infer overall data security in their organization. Some also claimed to be SAS 70 Certified.
The SAS 70 report on financial internal controls was replaced with the SSAE 16 SOC 1 report and still comes in two flavors. The Type 1 report expresses an opinion based on a snapshot date in time. The Type 2 report covers a period of time, for example, the six months ending December 31, 2012. While modifying the new SOC 1 report, the AICPA also added the SOC 2 and SOC 3 reports. The SOC 2 report covers the data security areas where the SAS 70 report was used improperly. SOC 2 reports are used for service organizations reporting on controls outside the scope of financial reporting. Both the SOC 1 and SOC 2 are special use audits designed to be used for management of service organization and to be provided to a user organization. They are not general use reports designed to broadcast to the world.
A SOC 3 report uses the same predefined trust services criteria as a SOC 2 report, without the auditor’s opinion. A SOC 3 report contains a brief, unaudited description of the system, without a detailed description of the test of controls. Unlike a SOC 2 Type 1 examination, a SOC 3 examination must take place over a period of time. The SOC 3 report also comes with a seal that clients can use on their website and in their collateral marketing material.
A few definitions may help unravel the uses for this emerging audit service. First of all, SOC stands for Service Organization Control. A user organization is the company, like a bank, that is outsourcing a process. Companies like banks that outsource services like debt collection outsource that work to a service organization, in this case a collection agency. The resulting report is usually an unqualified opinion expressed by a CPA. The result does not make a service organization any more SSAE certified than if they were ever SAS 70 certified.
SSAE stands for Statement on Standards for Attestation Engagements. Statement No. 16 represents a migration toward the International Federation of Accountants ISAE 3402 Auditing Standard. Both require a written assertion about organization controls by management. The now outdated SAS 70 standard called only for a description of controls in place.
SOC 2 and SOC 3 reports use AT Section 101 as the professional standard for service auditor guidance to issue reports on controls. AT Section 101 refers to the codification of attestation standards described in section 101 relating to engagements where a CPA issues a report on agreed-upon procedures or issues an opinion about a particular subject matter.
A SOC 2 report issues an opinion on whether “the system” has security, availability and processing integrity by answering several questions such as: Does it have the security to protect against unauthorized access physically and logically? Is it available for operation and use as committed? Is the processing complete, accurate, timely, and authorized? Confidentiality refers to the secure protection of the information held by the service organization, and specifically that Privacy exists to protect personal information. “The system,” referred to above, normally provides a list of control objectives and describes the services provided along with the supporting processes, policies, procedures, personnel and operational activities of the service organization's core activities that are relevant to the user organization.
The SOC 3 report is issued in accordance with the Trust Service Principles using the AICPA and the Canadian Institute of Chartered Accountants (CICA) framework for Trust Services Principles. SOC 3 is used for service organizations who need a general-use report instead of, or in some cases, in addition to, a SOC 2 report. The service organization may not wish to provide details of controls that meet the criteria required for a SOC 2 report. In many cases a SOC 3 will not provide a user with sufficient detail about the design and operation of controls.
Time will tell if SSAE 16 solves the problems created by the over ambitious use of SAS 70 since the inception of the auditing standard in April of 1992. One thing SSAE 16 has done is extend CPAs’ attestation beyond financial internal control and into data security reporting.