Changes to Service Organization Control reports: Avoiding mismatched SOCs

March 2011

In a previous article, we discussed the emerging SSAE 16 attestation standard, specifically the evolution of SAS70 to SSAE16 (SOC 1).

Now, let’s look at the “new” service organization control (SOC) reports - SOC 1 and SOC 2 - how they differ, what they provide, who might benefit from their use, and which report type is right for you. To begin, let’s assume that for previous users of SAS70, SOC 1 is the right product for your clients, as your services have a direct and material impact on their financial statements. For example, if you provide billings services for various healthcare providers, those billings represent Accounts Receivable balances that are of interest both to your clients and their financial auditors; SOC 1 is the right product to provide that service.

SOC 2

Increased use of outsourced services by businesses has resulted in a demand by user entities for assurance regarding the systems underlying those services. Unlike an outsourced billing or accounts receivable function, these services may not have a direct and material effect on an entity’s financial statements. As such, the full scope of a SOC 1 may be excessive, or irrelevant, to user organizations. In these instances, SOC 2 Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy is intended to meet that need with appropriate focus and scope. In addition, SOC 2 comes with a standardized set of control objectives that enables comparison of these objectives across entities.

An example of the applicability of SOC 2 is an engagement to report on a service organization’s controls over privacy. Many user entities are required by law or regulation to maintain the privacy of the information they collect from customers; this requirement does not go away when the data is sourced to a service organization. To address these requirements, management of a user entity may ask the service organization for a service auditor’s report on the effectiveness of its controls over the privacy of the information it processes or maintains for user entities.

Another example is “availability”: you may provide hosted data center services for several web-based retail clients. Lack of website availability may not have a direct and material effect on the financials, but the impact of availability is of tremendous importance to your client’s Management, not to mention their brand. SOC 2 provides a right-sized audit framework to deliver assurance to the clients who value your product.

Unlike SSAE 16, the primary users of SOC 2 reports generally are not user auditors but rather management of the user entities.

SOC 3

SOC 3 reports are not really new; they have existed as AICPA Trust Services, including WebTrust and SysTrust engagements, for several years. With the retooling of attestation standards, Trust Services fall into the new SOC framework, likely a more appropriate home for this type of engagement.

SOC 3 reports are designed to meet the needs of users who want assurance on controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but who do not need (or want) the detailed description of tests of controls and results included in either a SOC 1 or SOC 2 report. This allows the user of a SOC 3 report to provide assurance over their controls and process, while keeping the techniques and technology of that process private.

Examples of intended readers for which a SOC 3 engagement is a good fit include business partners, such as web hosts or certificate issuers, and shareholder/stakeholders, such as a sole owner seeking independent assurance of controls.

Unlike a SOC 1 or SOC 2 report, an SOC 3 report may be used by both current AND prospective customers of the service organization.

In addition to a traditional audit report, a SOC 3 report can be delivered in the form of a seal displayed on the service organization’s website.

The emergence of SOC standards is creating a diverse array of attestation products that do a much better job of meeting client needs, both today, and in the future. Whether you client’s assurance needs are financial or operational in nature, a SOC report type exists to provide the level of assurance required. Consider whether obtaining a SOC 2 or SOC 3 report might provide your clients greater assurance regarding your controls and processes, and potentially provide you with a competitive advantage in your industry.

For questions on this article, please contact your BNN advisor at 1.800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.