Strong understanding of SOC 1, 2, and 3 reports is essential to clearly articulate services and internal control processes to user organizations
If you are involved with executive management at a service organization, your workdays are extremely busy, often consumed by overseeing a variety of tasks, meetings, and other customer or employee concerns.
However, no matter how busy you are, a critical topic for your service organization is the Statement on Standards for Attestation Engagements (SSAE) No. 16 and the Service Organization Controls (SOC) reporting framework.
Why, you ask? With a greater focus on internal control by regulators, boards of directors, and others charged with governance, there has been an increase in demand for attestation reports for both controls over financial reporting and other subject matters. In response, the American Institute of Certified Public Accountants (AICPA) has developed the SOC reporting framework. The new SSAE 16 standard, used to create a SOC 1 report, focuses solely on a service organization’s relevant internal controls over financial reporting. SOC 2 and 3 reports are not defined by SSAE 16 and focus on the organization’s controls over its system’s security, availability, processing integrity, confidentiality, and privacy.
Your clients are likely already thinking about the SOC reporting framework and how it impacts what SOC report is most valuable for their company, those in charge of governance, and their auditors. It is important for service organization management to be fully educated about SSAE 16 and the new SOC framework, so they are well prepared to discuss the effective use of a SOC 1, 2, or 3 report when requested by a user organization.
Service organizations should understand:
SSAE 16 is the new standard for creating a SOC 1 report and, in effect, replaces SAS 70 reports. In fact, the terms SSAE 16 and SOC 1 are often used interchangeably.
With the adoption of SSAE 16, user organizations are likely to request SOC 1 reports from service organizations with more frequency. SSAE 16 provides user organizations with a strong sense of comfort about the processes service organizations perform relevant to controls around financial reporting that impact user organizations.
The most significant benefit of SSAE 16 for service organizations is that it allows them to more clearly articulate information about their company and its control environment. In essence, SSAE 16 enables service organizations to present a strong position to its user organization clients about their control environment relevant to processes that impact user organizations’ financial reporting.
Under the new standard, it is clear the purpose of a SOC 1 report is to report on the controls at a service organization that are relevant to the user organization’s financial reporting. Comparatively, the old standard was utilized (SAS 70), sometimes inappropriately, to report on internal controls not related to financial reporting, such as compliance and operations, which it was not designed for.
The new standard, SSAE 16, eliminates much of the unwarranted reliance service organization clients had on the old standard. In addition to clarifying SOC 1 reports are applicable only to controls at a service organization that are likely to impact a user organization’s financials, representation by management of the service organization must also be included in the description of the controls.
While awareness of the SOC 1 report is increasing since the introduction of the new standard, it is critical to take into consideration that this type of report is not appropriate for all service organizations. Service organizations can also utilize the SOC 2 report.
With the introduction of the new SOC reporting framework, SOC 2 is emerging as a mainstream report requested by a broad range of user organizations. The benefit of the SOC 2 report for service organizations is that they can now offer clients a separate report focusing on internal controls not related to financial reporting. These reports can help clients better understand internal controls at the service organization related to its system’s security, availability, processing integrity, confidentiality, and privacy. With a SOC 2 report, the definition of the system is broader than in a SOC 1 report, and may also relate to operations. The system is defined by the service provided.
The fundamental difference between a SOC 1 and SOC 2 report is that SOC 1 reports on the controls of the service organization that are relevant to the user organization’s financial statement assertions. SOC 2 reports on the effectiveness of the controls of the service organization related to compliance or operations, including the following criteria: security, availability, processing integrity, confidentiality, and/or privacy (also known as trust services principles and criteria). The security, availability, and processing integrity criteria are related to the controls system, and the confidentiality and privacy criteria are related to the information processed by the system.
SOC 1 and SOC 2 reports both require details on the service organization’s controls, tests, and accompanying results performed by the service organization auditor. They both also, typically, have limited distribution; however, their audiences differ slightly. For a SOC 1 report, the user organization’s controllers, compliance officers, CFO, and CIO typically receive the data. With a SOC 2 report, the audience is specified parties who are knowledgeable about the nature of the service provided, the internal controls, and the applicable trust services criteria. This may include the CFO, CIO, and compliance officers, as well as vendor management executives, regulators, or the business partners who have sufficient knowledge about how to appropriately use the report.
The differences between SOC 1 and SOC 2 reports are important. Service organizations should work closely with their service auditors to discuss the key differences and assess their clients’ needs to determine which report will provide them, and their user organizations, with the most value.
When service organizations are working with their auditors to determine which SOC report is most appropriate, the key question to ask is whether the controls at the service organization are relevant to the user organization’s financial reporting. If the answer to this question is yes, then the service organization should participate in a SOC 1 report.
It is recommended that service organizations participate in a SOC 2 report if independent assurance regarding compliance and operational controls is of chief concern, including the trust services principles and criteria.
Service organizations can transition to SOC 2 reports if it’s more appropriate for their company to be assessed on their internal controls not related to financial reporting. As with preparing for any SOC report, it should be noted that SOC 2 transitions take time and that service organizations should engage their service auditors for a readiness assessment.
The new SOC reporting framework introduced the SOC 3 report, which is an underutilized opportunity for service organizations. The SOC 3 report is very similar to the SOC 2 report. The key differentiators are that a SOC 3 report does not require a detailed description of the controls of the service organization related to compliance or operations or detailed testing procedures (though it does cover the trust services principles and criteria), and the distribution of the report is not restricted.
The SOC 3 report simply reports on whether the service organization achieved one or more of the trust services principles and criteria. Anyone who would like confirmation of the controls of the service organization can view the SOC 3 report.
A SOC 3 report is considered valuable for a service organization if the organization decides it does not want to reveal the details of its controls or when a user organization requests a SysTrust for Service Organizations seal. The SysTrust seal is a recognized symbol that can be displayed on a service organization’s website after the completion of a SOC 3 report.
*Trust services principles and criteria is security, availability, processing integrity, confidentiality, and/or privacy. The security, availability, and processing integrity criteria are related to the controls system and the confidentiality and privacy criteria are related to the information processed by the system.
The introduction of SSAE 16 and SOC 1, as well as SOC 2 and 3, will build on SAS 70 and continue to benefit service organizations. Service organizations now have the ability to offer user organizations in all industries what they have been wanting for many years – assurance reports focusing on distinct issues:
And with the SOC 3 report, service organizations can now offer a brief summary or seal on the security, availability, processing integrity, confidentiality, and/or privacy of their controls.
Moving forward, it will be essential for service organizations to continue working closely with their auditors, helping to ensure they have successful SOC reports, retain and grow user organization clients, and maintain and enhance their reputations.
To learn more about how to collaborate with your service auditor for successful SOC reports, and for additional information about the benefits of SSAE 16 and the new SOC reporting framework for your service organization, don’t hesitate to contact us.