Several prominent internal control breakdowns and increased focus on internal control by regulators, boards of directors and others charged with governance have led to increased demand for attestation reports on controls over subject matter other than financial reporting provided by an independent CPA. Neither Statement on Auditing Standards (SAS) no. 70, Service Organizations, nor the new standard that replaced SAS no. 70, Statement on Standards for Attestation Engagements (SSAE) no. 16, Reporting on Controls at a Service Organization, is intended to address controls relevant to these risks.
In response to this demand, the AICPA has developed the Service Organization Control (SOC) reporting framework. The framework is designed to help service organizations, their customers and CPAs understand the types of examination reports a CPA can issue related to service organization controls. The AICPA also has published new guidance for attestation reports to help meet this growing demand for internal control reporting.
The SOC (commonly pronounced “sock”) framework includes three reporting options. This article focuses on SOC 2 reports and engagements and provides some additional information on SOC 3 engagements.
SOC 1 engagements are performed in accordance with SSAE no. 16 and focus solely on controls at a service organization that are likely to be relevant to an audit of a customer’s financial statements.
SOC 2 engagements are performed in accordance with AT section 101, Attest Engagements, using the guidance provided in the Guide Reporting on Controls at a Service Organization Relevant to Security Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) (the SOC 2 Guide).
A SOC 2 engagement is designed to provide:
Organizations that outsource tasks and functions a mechanism for improving governance and oversight of service providers.
Service organizations the ability to communicate the suitability of the design and operating effectiveness of their controls through a widely accepted reporting format.
CPAs an opportunity to expand their attestation services through a new report that meets a marketplace need. SOC 2 reports provide users with:
(1) A detailed description of a service organization’s system, including controls designed to achieve the criteria for one or more of the Trust Services principles. A Trust Services report for service organizations is performed under AT section 101 using TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Trust Services is defined as:
A set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs around controls at the service organization that are relevant to one or more of the Trust Services principles of security, availability, processing integrity, confidentiality or privacy. Trust Services principles and criteria are issued by the AICPA and Canadian Institute of Chartered Accountants (CICA).
(2) An assertion by management regarding the fairness of the description, the suitability of the design of the controls and, for some engagements, the operating effectiveness of the controls; and
(3) A CPA’s opinion on the fairness of the description, the suitability of the design of the controls and, for some engagements, the operating effectiveness of the controls and description of the tests performed by the CPA and the results of those tests. The fairness of a service organization’s system is measured using system description criteria set forth in the SOC 2 Guide while the suitability of design and operating effectiveness of controls related to security, availability, processing integrity, confidentiality or privacy are assessed using criteria in TSP 100.
SOC 3 reports provide users with (1) an assertion by management that it maintained effective controls to meet the Trust Services criteria, (2) a short description of the service organization’s system, and (3) a CPA’s examination report on either management’s assertion or on the effectiveness of controls that meet the Trust Services criteria. The fairness of management’s assertion assertion is assessed using criteria in TSP 100.
It is important to note that a system is more than just computer hardware and software. It is the policies and procedures used by service organizations to provide services to its customers. A system includes physical environment and hardware components of a system, application and operating system software, people, procedures and data. As it relates to privacy, a system includes all aspects of the life cycle of personal information, including how it is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA (see “GAPP Targets Privacy Risks,” in this issue, page 52).
OUTSOURCING AND ITS EFFECTS
Many companies function more efficiently and profitably by outsourcing tasks or entire functions to other organizations (service organizations) that have the personnel, expertise, equipment or technology to accomplish these tasks. As part of these services, a service organization will often collect, process, transmit, store, organize, maintain and dispose of information for its customers. Examples of service organizations include cloud computing providers, payroll processors, information security service providers and information service providers.
Although a company outsources tasks to a service organization, company management retains its responsibility for the outsourced tasks and the manner in which they are performed and is held accountable by the company’s stakeholders, including its board of directors, shareholders, customers, employees, business partners and regulators. Many of these responsibilities can be grouped using the Trust Services principles, which address security, availability, processing integrity of the system used to provide the outsourced tasks, and the confidentiality and privacy of information used by the system. As part of its corporate governance, management of an organization needs to address these responsibilities by:
Developing procedures to identify risks resulting from its outsourcing relationships.
Identifying controls at the service organizations that address the risks.
Evaluating the suitability of the design and operating effectiveness of the service organization’s controls.
Implementing and maintaining controls to address risks not addressed by controls at the service organization.
OBTAINING INFORMATION ABOUT A SERVICE ORGANIZATION’S SYSTEM AND ITS CONTROLS
In some cases, an organization’s management can evaluate the quality of operations of a service organization and the suitability of the design and operating effectiveness of the service organization’s controls by establishing monitoring procedures that enable it to prevent—or detect—and correct processing errors and control exceptions by a service organization. To illustrate, as it relates to processing integrity, the company initiates and records the information it submits to the service organization for processing and is able to compare the results of processing with its own records. For example, an organization evaluates sales literature fulfillment services performed by a service organization by comparing the fulfillment statistics provided by the service organization with the printing and mailing costs of the literature.
In other cases, the company must rely either completely or partially on the effective operation of the service organization’s controls. For example, to meet its regulatory obligations and privacy commitments to its patients, a health care provider that outsources the analysis of patient service outcomes must rely on the privacy controls at the service organization. In such a circumstance, the health care provider has a limited ability to monitor the effectiveness of the service organization’s privacy controls.
A company may be able to get information about controls at a service organization directly from the service organization. Often this information comes from the service organization in the form of “Frequently Asked Questions” or as part of the system description. A service organization may also have a list of controls that it has implemented. However, this information may have limitations, such as:
There are no defined criteria for what constitutes an adequate description of a system and its controls.
In describing its systems, service organizations do not use a consistent set of criteria for measuring whether a service organization’s controls are suitably designed and operating effectively.
Except for controls likely to be relevant to user entities’ financial statement assertions, service organizations have not had a consistent and well-recognized method of providing an independent CPA’s attestation report on its system description or the suitability of design and operating effectiveness of its controls.
SOC 2 engagements are designed to meet the needs of user entities and other stakeholders by providing service organizations with criteria for describing their systems, criteria for evaluating the suitability of design and operating effectiveness of the service organization’s controls, and an independent CPA’s opinion on the description of the system and the design and operating effectiveness of the service organization’s controls.
SIMILARITY TO SOC 1 REPORTS
A service organization may engage a CPA to report on controls at the service organization that cover one or more of the Trust Services principles of security, availability, processing integrity, confidentiality and privacy. Service organizations undergo such an engagement to provide copies of the SOC 2 report to their customers and other intended recipients of the reports such as regulators and business partners. The report enables users to secure evidence about the effectiveness of internal control at the service organization as it relates to one or more of the Trust Services principles.
The written description of the service organization’s system includes, among other things, the nature of the service provided to user entities, procedures used to provide the service, and the service organization’s controls that address the applicable Trust Services criteria. While the written description is similar in form to the written description prepared for a SOC 1 report, a SOC 2 report uses the applicable Trust Services criteria in place of the familiar control objectives of a SOC 1 report or a SAS no. 70 report.
Similar to a SOC 1 report, there are two types of SOC 2 reports:
1. Type 1 report. The service auditor (the CPA performing the engagement) expresses an opinion on whether the description is fairly presented (that is, whether it describes what actually exists) and whether the controls included in the description are suitably designed. Controls that are suitably designed are able to meet the applicable Trust Services criteria if they operate effectively.
2. Type 2 report. The service auditor’s report contains the same opinions as those in a type 1 report but also includes an opinion on whether the controls were operating effectively. Controls that operate effectively do meet the applicable Trust Services criteria as intended. A type 2 report also includes a description of the service auditor’s tests of operating effectiveness and the results of those tests so that users can determine how the results of the service auditor’s tests affect a particular company and meet its needs.
In addition to preparing a written description of the service organization’s system, management of the service organization has certain other responsibilities in a SOC 2 engagement, including:
Defining the scope of the engagement. Management determines which service(s) and Trust Services principle(s) will be covered by the SOC 2 report. In determining the scope of the system, management of the service organization should consider the needs of report users, including their regulatory obligations, governance requirements and industry practices.
Determining whether to engage the service auditor to perform a SOC 2 type 1 or type 2 engagement, depending on the needs of users.
For type 2 reports, determining the time period covered by the report. Unlike SOC 1 reports, there is no generally accepted minimum useful period that a report needs to cover. However, the period covered should be sufficiently long for the service auditor to be able to opine on the operating effectiveness of the controls and to meet the needs of report users. Service organizations may wish to discuss the time period with their service auditor.
Providing a written assertion to be attached to the description of the system. This written assertion by management confirms, to the best of management’s knowledge and belief, that the description is fairly stated, controls were suitably designed to meet the applicable Trust Services criteria, and, for type 2 reports, the controls were operating effectively throughout the period. For type 2 reports addressing the privacy principle, management’s assertion also confirms that management has complied with its privacy commitments. The assertion also confirms that management has a basis for making its assertion including the suitability of the design and operating effectiveness of the service organization’s controls.
Providing written representations to the service auditor regarding its written assertion and other matters, such as compliance with laws and regulations and the completeness of the information provided to the service auditor.
PERFORMING SOC 2 ENGAGEMENTS
SOC 2 reports provide CPAs with an opportunity to meet the needs of service organizations and their stakeholders that have long gone unmet. Service organization customers have often asked for a SAS no. 70 report addressing controls that are not relevant to user entities’ internal control over financial reporting. With the issuance of the SOC 2 Guide, service auditors have a report specifically intended to meet those needs.
Planning, performing and reporting for SOC 2 and SOC 1 engagements are similar. Service auditors experienced in performing SAS no. 70 examinations and now SOC 1 engagements should be well-prepared to perform SOC 2 engagements. However, there are some unique factors a service auditor should consider before accepting a SOC 2 engagement:
Ensure they have adequate knowledge of the subject matter, since SOC 2 reports address the operating effectiveness and compliance aspects of internal control rather than controls likely to be relevant to a user’s internal control over financial reporting. Such knowledge should include the understanding of both the services provided and the Trust Services principles addressed by the report. A service auditor may meet the knowledge requirement through the use of one or more specialists as indicated in AT section 101.
Consider whether the period of the report is sufficient to meet the needs of users and sufficient for the service auditor to form an opinion on the operating effectiveness of the controls that meet the applicable Trust Services criteria.
Consider whether a SOC 2 report on the selected principles is likely to meet the needs of users and whether the report is likely to be misunderstood by those users.
The service auditor should also discuss with the service organization’s management that knowledge of the subject matter and internal control is required of report users to reduce the risk of report misunderstanding. Because of this risk, the service auditor should reach agreement with service organization management that use of the service auditor’s report will be restricted and the intended users of the report should be identified.
SOC 3 REPORTS
Service organizations may need a general-use report (or seal) instead of or in addition to a SOC 2 report. In addition, a service organization may not wish to provide details of controls in its system description or a description that meets the criteria set forth in the SOC 2 Guide. In these situations, the service organization may choose to engage a practitioner (a CPA performing an attestation engagement) to issue a SOC 3 report. A SOC 3 report is prepared under AT section 101 using TSP section 100. A practitioner may report on one or more of the five Trust Services principles.
In the examination report included in TSP section 100, the practitioner expresses an opinion on whether the service organization maintained effective controls over its system, based on the criteria in TSP section 100 that are applicable to the Trust Services principle(s) on which the practitioner is reporting. Because SOC 3 reports are for general use, they can be freely distributed or posted on a website as a seal (for more information about the seal program, go to www.webtrust.org).
Although a SOC 3 report is designed to meet the needs of a broad range of users, in many cases it will not provide a user with sufficient detail about the design and operation of controls to meet his or her needs.
More information about the right report to use in certain circumstances is outlined in Exhibit 1 (opens in new window).
CPAs have an opportunity to expand their attestation services through a new SOC report.
SOC 2 engagements are designed to meet the needs of service organization users and other stakeholders. They provide organizations that outsource tasks and functions a mechanism for improving governance and oversight of service providers. They also enable service organizations to communicate the suitability of the design and operating effectiveness of their controls through a widely accepted reporting format.
There are two types of SOC 2 reports. Type 1 reports provide a description of a service organization’s system and a CPA’s opinion on the fairness of the description and the design of the service organization’s controls. Type 2 reports also add the CPA’s opinion on the operating effectiveness of controls.
CPAs in public practice who are familiar with reports performed using SAS no. 70 and SSAE no. 16 are well-positioned to accept SOC 2 engagements to meet their clients’ needs. However, there are some unique factors a service auditor must consider first, such as whether the period of the report is sufficient to meet the needs of users and sufficient for the service auditor to form an opinion on the operating effectiveness of the controls that meet the applicable Trust Services criteria, among others.
Chris Halterman (email@example.com) is executive director of Advisory Services for Ernst & Young LLP and is chairman of the AICPA Trust Services/Data Integrity Task Force.
To comment on this article or to suggest an idea for another article, contact Kim Nilsen, editorial director, at firstname.lastname@example.org or 919-402-4048.
Use journalofaccountancy.com to find past articles. In the search box, click “Open Advanced Search” and then search by title.
For more information or to make a purchase or register, go to cpa2biz.com or call the Institute at 888-777-7077.
Service Organization Controls: Managing Risks by Obtaining a Service Auditor’s Report, aicpa.org/soc
“SAS 70, The Next Generation: Planning for the New Service Organizations Standards,” aicpa.org/soc
Service Organization Control Reports, aicpa.org/soc
More from the JofA:
Find us on Facebook | Follow us on Twitter | View JofA videos