What is a service organization and a user entity?
A service organization is an organization that provides services to its customers or others (user entities).
A user entity is the business that uses the services of a service organization.
What is the SOC suite of services?
System and Organization Controls (SOC) is a suite of service offerings CPAs may provide. The report on the controls at the service organization provides valuable information that users need to assess and address the risk associated with outsourced services.
Which SOC report applies to my organization?
SOC 1 – A report on internal control over financial reporting at a service organization.
SOC 2 and SOC 3 – A report on internal control related to information systems and data security, availability, confidentiality, processing integrity, and/or privacy at a service organization.
SOC for Cybersecurity – A report about the effectiveness of a service organization’s cybersecurity risk management program.
What additional characteristics distinguish SOC 1, SOC 2 and SOC 3?
A SOC 1 report is specifically designed to provide management of the service organization, user entities, and their independent auditors (user auditors) with information about the controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting. The SOC 1 report enables the user entities’ auditor to perform risk assessment procedures during the planning and performing of an audit of the financial statements. Use of the report is restricted to management, user entities and their independent auditors.
A SOC 2 report is specifically designed to meet the needs of a broad range of users including management of service organizations, user entities, and other specified parties. The SOC 2 report provides information about the internal controls at the service organization relevant to the Trust Services Principles and criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (as established by TSP 100). Use of the report is generally restricted.
A SOC 3 report is a public report. It provides interested parties with a service auditor’s opinion about controls at the service organization relevant to the Trust Services Principles and criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy.
How is SSAE 18 related to SOC?
The AICPA’s Auditing Standards Board (ASB), has revised all of the existing attestation standards by clarifying the Statements on Standards for Attestation Engagements (SSAEs) and issuing SSAE 18 Attestation Standards: Clarification and Recodification. Although SOC reports reference a new standard, we would not consider the revisions significant.
How do SSAE 16 (AT801), AT101 and SSAE 18 Differ?
SSAE 18 is the new standard for all attestation engagements, including the new SOC for cybersecurity.
SSAE 16 (AT 801) is the old standard for SOC 1 engagements.
The new guidance in SSAE 18 is as follows:
AT-C Section 105, Concepts Common to all Attestation Engagements
AT-C Section 205, Examination Engagements
AT-C Section 320, Reporting on the Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.
AT101 is the old standard for SOC 2 and SOC 3 engagements.
What changed with the issuance of SSAE 18?
The actual changes to a SOC engagements relate to the following:
SSAE 18 requires the service organization to implement a vendor management program, assess risk annually and to monitor the complementary user controls at the subservice organizations. The service auditor will test the applicable controls and document the reliability of the data used for testing.
What is the difference between a Type 1 and a Type 2 Service Organization Report?
• Type 1 – Report on management’s description of a service organization’s system and the suitability of the design of controls as of a point in time.
• Type 2 – Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over a specified period of time.
What is a system description?
Management of a service organization is responsible for preparing the description of the service organization’s system, including the completeness, accuracy and method of presentation of the description. The system description includes the procedures within both manual and automated systems, by which services are provided, including procedures by which transactions are initiated, authorized, recorded, processed, corrected as necessary and transferred to reports and other information prepared for user entities.
Why would a service organization want a SOC 2 or SOC 3 report?
Because the SOC 2 and SOC 3 reports are based on predefined criteria, user entities may ask for a SOC 2 or SOC 3 report to provide them with assurance that controls are in compliance with industry standards. In addition, some companies use service providers for activities not relevant to the audited financial statements. Because a SOC 1 report can only be used for processes related to internal control over financial reporting, user entities may request a SOC 2 or SOC 3 report for assurance that the predefined controls (TSP 100) are in place.
What is the difference between a SOC 2 and SOC 3 report?
The main difference between a SOC 2 report and a SOC 3 report is a SOC 2 report contains a detailed description of the service auditor’s tests of controls and results of those tests, as well as the service auditor’s opinion on the description of the service organization’s system and is generally a restricted-use report. A SOC 3 reports on the same information as a SOC 2 report. The main difference between the two is that a SOC 3 is intended for a general audience. These reports are shorter and do not include the same details as a SOC 2 report.
Can I get more than one report?
Yes. Because the same criteria are used for SOC 2 and SOC 3 reports, many service providers will choose to do both. Service providers that need a SOC 1 (because their services are relied upon by their clients’ financial auditors), but still want to provide assurance they meet the predefined trust services criteria, may find it advantageous to align their SOC 1 controls with the predefined Trust Services criteria. While the reports cannot be combined, certain testing performed in each engagement may provide evidence for the other engagements. This simplifies the compliance process for the service provider and allows the service provider to offer all three reports to its clients, in addition to using the SOC 3 for marketing purposes.
How do I get started?
Before committing to a comprehensive SOC examination, we can help you with a readiness assessment. The purpose of a readiness assessment is to assist with the following:
The advantage of performing a readiness assessment prior to the SOC examination will give management an opportunity to remediate or implement controls to achieve the control objectives.
What is SOC 2 + Additional Subject Matter?
The service organization has the option to include additional subject matter related to the service organization’s services.
Additional subject matter examples are as follows:
The service organization provides appropriate supplementation description of the additional subject matter, a description of the criteria used to measure and present the subject matter, and finally if the criteria are related to controls, a description of the controls intended to meet the control-related criteria and an assertion by management regarding the additional subject matter.
What is SOC for cybersecurity?
SOC for cybersecurity is a reporting framework to help organizations effectively communicate with key stakeholders on their cybersecurity risk management program and the effectiveness of controls within that program. SOC for cybersecurity is an examination engagement performed by independent CPAs (practitioners) on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, there are two distinct but complementary subject matters: (a) the description of the entity’s cybersecurity risk management program, and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. A cybersecurity risk management examination results in the issuance of a cybersecurity risk management examination report that is for general use.