What CPAs need to know about Service Organization Controls reports.
By James C. Bourke, CPA/CITP/CFF, CGMA
A year after the AICPA introduced the Service Organization Controls reports, I continue to field lots of questions about SOC and its different flavors.
Accountants also are still asking me about the migration to SOC from the old Statement on Auditing Standards No. 70 (SAS 70).
This article provides an overview of the SOC 1, SOC 2, and SOC 3 reports, explaining when and why to use each one.
To best understand SOC reports, it s helpful to know why the AICPA created them. The past several years have seen rapid growth in the number of businesses outsourcing various functions to service organizations such as cloud computing providers. Examples of traditional services provided by service organizations include payroll processing and medical claims processing; relatively newer services include human resources, document management, workflow, and tax processing. The growth in outsourcing has been fueled by a number of factors, including the recent economic recession, pressure to improve operational costs, an increasingly virtual workforce, and a lack of internal resources to support a process or function.
In many of these outsourcing situations, user entities submit personal or confidential customer information to service organizations for processing or storage. A breach in privacy practices may occur while such information is at a service organization. Even though the breach may occur while the information is at the service organization, the user entity continues to retain responsibility for protecting such information. Such liability concerns and the growth in cloud computing have elevated the marketplace demand for assurance regarding the confidentiality and privacy of information processed by a service organization s system.
The old SAS 70 standard was designed to assist CPAs reporting on controls at a service organization that affect user entities financial statements, not for reporting on controls at a cloud computing provider that affect the privacy of customer data. However, in the absence of a better option, SAS 70 was improperly used as the framework for such assessments, and terms such as SAS 70 certified were inappropriately used by many service organizations to indicate that their system controls had been found to be reliable and trustworthy.
As part of the Auditing Standards Board s clarity project, the AICPA split SAS 70 into two new standards: the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) for service auditors (effective for SSAE 16 reports for periods ending on or after June 15, 2011) and a new SAS for user auditors (effective for 2012 year-end audits).
Like SAS 70, the SSAE 16 standard focuses on guidance for auditors assessing financial statement controls at service organizations. This is the basis of the SOC 1 report.
The SOC 2 and SOC 3 reports both look at a service organization s controls relevant to the security, availability, or processing integrity of a service organization s system or the privacy or confidentiality of the information the system processes. These reports are based on AT Section 101, Attest Engagements, and the controls are evaluated using the trust services principles and criteria.
SOC 1 and SOC 2 are similar to SAS 70 in that both have type 1 and type 2 report options, as explained in more detail below.
- In its simplest form, SOC 1 is a report on controls at a service organization relevant to a user entity’s internal control over financial reporting. A type 1 report focuses on a description of a service organization s system and on the suitability of the design of its controls to achieve the related control objectives included in the description, as of a specified date. A type 2 report contains the same opinions as a type 1 report with the addition of an opinion on the operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. A type 2 report also includes a detailed description of the service auditor s tests of controls and results.
- Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
- Uses the trust services criteria.
- Similar to SOC 1 in that a type 1 or type 2 report is available.
- Includes a description of the service auditor s tests of controls and results.
- Use of the report generally is restricted.
- This is a trust servicesreport for service organizations.
- Covers the same subject matter as SOC 2.
- Does not include a description of the service auditor s tests of controls and results. Also, the description of the system is less detailed than the description in a SOC 2 report.
- A seal can be issued on a service organization s website. The Canadian Institute of Chartered Accountants (CICA) administers a seal program for these engagements (if the CPA is licensed for the seal by the CICA)..
- The use and distribution of the report is NOT restricted.
Here s a quick look at the users, content, and purpose of SOC reports.
The AICPA has approved two logos that service organizations and CPAs may use in marketing their services related to SOC engagements. These logos may be used in promotional material or displayed on a website. Note that these are not seals to be displayed on the website of a service organization that has received a SOC 3 report within the past year from a CPA licensed for the seal by the CICA.
For CPAs who provide SOC 1, SOC 2, or SOC 3 engagements, the only logo approved for use is:
For service organizations that have received a SOC 1, SOC 2, or SOC 3 report issued within the past year, there is also only one logo that may be used. The logo approved for use is:
For more information, the AICPA has resources available at AICPA.org/SOC.
Demand for SOC reports should increase in the coming years because of continued growth in cloud computing.
Technology research firm Gartner expects the cloud-based, software-as-a-service market to grow at more than twice the rate of the overall software market. Gartner forecasts a compound annual growth rate of almost 16% for the SaaS market, as show in the graphic below. That compares with a projected compound annual growth rate of 6.3% for the software market as a whole.
As the cloud market grows, so do opportunities for CPAs to conduct SOC assessments of service providers. This line of work can provide a fresh flow of revenue for accounting firms.
James C. Bourke, CPA/CITP/CFF, CGMA, is a partner at New Jersey-based accounting firm WithumSmith+Brown, where he is director of firm technology. He is co-chair of the Practitioners Symposium and TECH+ Conference in partnership with the Association for Accounting Marketing Summit. He also serves on the AICPA Board of Directors and is a past president of the New Jersey Society of CPAs and a past chair of the AICPA CITP Credential Committee.
Service Organization Controls (SOC) School: Conducting Successful Engagements