Previous article in series – Audit: Assurance Challenges of Virtualization and Cloud
The Service Organization Control audits framework is designed for consumers to have confidence in the provider they’ve selected and for the provider to give assurance of the design and effectiveness of controls. Consumers are provided a means to assess and address risk with services that are sourced outside of their company. This audit produces reports that are accomplished under an attestation standard known as Statement on Standards for Attestation Engagements (SSAE) 18. SSAE-16 was replaced by SSAE-18 in 2017. Now service organizations will need to implement a formal third-party vendor management program and a formal annual risk assessment process.
SOC 1
SOC 1 reports focus solely on controls at a cloud service provider that are likely to be relevant to an audit of a subscriber’s financial statements. These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.
There are two types of reports for these engagements:
- Type 1: Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date
- Type 2: Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period
Use of these reports is restricted to the management of the service organization, user entities, and user auditors.
SOC 2
SOC 2, Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
There are two types of reports for these engagements:
- Type 1: Report on management’s description of a service organization’s system and the suitability of the design of controls
- Type 2: Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls
The report specifically addresses any number of the five “Trust Services Principles,” which are:
- Security: The system is protected against unauthorized access, use, or modification
- Availability: The system is available for operation and use as committed or agreed upon
- Processing integrity: System processing is complete, accurate, timely, and authorized
- Confidentiality: Information designated as confidential is protected as committed or agreed
- Privacy: The system’s collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service organization’s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA
There are growing variants/specializations for the SOC 2, two of which are:
- SOC for Service Organizations: SOC 2® HITRUST
- SOC for Service Organizations: SOC 2® CSA STAR Attestation
SOC 3
The SOC 3 report is a publicly available summary of the vendor’s SOC 2 report and provides the AICPA SysTrust Security Seal. The report includes the external auditor’s opinion of the operation of controls (based on the AICPA’s Security Trust Principles included in the SOC 2 report), the assertion from the vendor’s management regarding the effectiveness of controls, and an overview of the vendor’s infrastructure and services.
This is a great resource for customers to validate that the vendor has obtained external auditor assurance without going through the process to request a SOC 2 report.
A key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report is generally restricted in distribution and coverage, requiring a nondisclosure agreement (NDA) due to the information it contains, whereas a SOC 3 report is broadly available, with limited information and details included within it (often used to instill confidence in prospective clients or for marketing purposes).
SOC for Cybersecurity
The SOC for Cybersecurity examination is a new entry into the SOC world. It provides an independent entity-wide assessment of an organization’s cybersecurity risk management program. It establishes a reporting framework through which organizations can communicate relevant, useful information about the effectiveness of their cybersecurity risk management program and CPAs can report on such information to meet the cybersecurity information needs of a broad range of stakeholders. The program has three components:
- Description criteria for management’s description of an entity’s cybersecurity risk management reporting program
- 2017 Trust Services Criteria for management to evaluate the effectiveness of controls and for attestation services
- AICPA guide for reporting on an entity’s cybersecurity risk management program and controls
Next article in series – Audit: Internal Information Security Management System