AICPA to Issue New Guidance for Service Organization Controls (SOC) Reports
11/10/2010
The American Institute of Certified Public Accountants’ (“AICPA”) Auditing Standards Board (ASB) has issued Statement onStandards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, effective for periods ending on or after June 15, 2011. SSAE 16 replaces the SAS 70 audit standard that many user entities and service organizations have grown familiar with; however, the subject matter of SSAE 16 is similar to SAS 70, that is, a report on systems (inclusive of controls) at organizations that provide services to user entities when those controls are likely to be relevant to user entity’s internal control over financial reporting (ICFR).
The ASB recognized that SAS 70 was being used for purposes that it was never intended for and that user entities have been requesting SAS 70 reports on services other than those related to ICFR. This made it difficult for service organizations and service auditors to adapt the auditing standards for uses they were not designed for. To solve this dilemma, the AICPA is in the process of preparing guidance for three different types of reports for service organizations called AICPA Service Organization Controls (SOC) reports, expected to be issued in early 2011.
AICPA SOC 1
An AICPA SOC 1 report covers a service organization’s controls over services provided to user entities when those controls are likely to be relevant to user entity’s ICFR. This report is very similar to the SAS 70 with Type 1 and Type 2 available, and will be familiar to most user entities and service organizations. The report is prepared by an independent auditor and its use is restricted to the user entity and the user entity’s auditor. It includes the familiar sections of the SAS 70 including the service auditor’s opinion; description of the system, formerly called a description of controls under the SAS 70 standard, and a test matrix which reports control objectives, related controls, the nature of the service auditor’s tests and the test results.
SOC 1 will have some notable changes from the SAS 70, including management assertions; disclosure of the criteria used as the basis of management’s assessment; different treatment of management’s risk assessment as either formal or informal; consideration of monitoring controls; and the auditor’s consideration of the possibility of intentional acts by management as the cause of a deviation. The service auditor’s opinion on the fair presentation of the description, its suitability to achieve the control objectives and implementation now covers the entire period for a Type 2 rather than a point in time, as was the case under SAS 70. Service organizations that need to provide their customers with a report on controls related to ICFR for a period that ends on or after June 15, 2011 are advised to understand AICPA SOC 1 now so that they are prepared for the changes.
AICPA SOC 2
An AICPA SOC 2 is intended for service organizations that need to issue a report on controls other than those related to ICFR. The AICPA anticipates that the main services covered by SOC 2 will be security, availability, processing integrity, confidentiality, or privacy. The SOC 2 will include the same report elements as an SOC 1; however, the service auditor will perform the examination in accordance with AICPA Professional Standards Attestation Standard (AT) 101, rather than SSAE 16. Like SOC 1, SOC 2 use may be restricted to user entities and others that have knowledge of the user entity’s services, such as regulators. SOC 2 differs from SOC 1 in that the control objectives, in most cases, are expected to be based on the AICPA and Canadian Institute of Chartered Accountants (CICA) Trust Service Principles and Criteria (available here). As such, SOC 2 is more prescriptive than SOC 1, since in SOC 1 the service organization has greater discretion in defining the control objectives. Although a SOC 2 uses the Trust Service Principles and Criteria the service organization may be precluded from placing a Trust Service Seal on their website, if the use of the report is intended to be restricted.
AICPA SOC 3
An AICPA SOC 3 is similar to a SOC 2; however, it is intended for general, not restricted, use. Like SOC 2, SOC 3 covers security, availability, processing integrity, confidentiality, or privacy, and is limited to the principles and criteria defined in AICPA and CICA Trust Service Principles and Criteria. SOC 3 differs from SOC 2, in that, SOC 3 may not include a description of the system and does not include a Trust Service practitioner’s test matrix. The end result of an SOC 3 may be the placement of a Trust Service Seal on the service organization’s website. This is an ideal solution for service organizations that want to demonstrate to visitors of their website, business partners, or prospective customers that they have maintained effective controls over the service covered by the Seal based on the AICPA and CICA Trust Service Principles and Criteria.
For a detailed comparison among SOC 1, SOC 2, and SOC 3 reports, please view this document from the AICPA.
For more information on AICPA SOC reports please contact Kelly O’Callaghan, partner and information technology audit practice director, via email or at 973-618-6221 or Bruce Nearon, director of information technology audit services, via email or at 973-871-4035.