Jeff Ziplow, MBA, CISA, CGEIT
In 1980 the American Institute of Certified Public Accountants (AICPA) implemented the Statement on Auditing Standards No. 70, commonly known as SAS No. 70, to review and evaluate the internal controls of a service organization. SAS No. 70 quickly became a standard for the user organizations to obtain assurance that their data was being protected and managed in a secure manner. At the same time, service organizations were using SAS No.70 as a way to show existing and potential customers that they were utilizing industry best practices.
Naturally, the death of SAS No. 70 audits has raised several questions and some confusion. To gain clarity on the auditing standard’s replacement and its alternatives, it helps for service providers and their customers to understand what went on behind the scenes that caused this change.
SAS70 audits served as the primary standard for assessing an external service provider’s internal controls as they relate to the integrity of their customer’s financial reporting statements under Sarbanes-Oxley (SOX) section 404, PCI and other regulation and compliance standards. The standard became misused as a “certification of assurance”, which the AICPA has asserted was not the intended purpose. Before the standards changed, many providers were advertising that they had attained a SAS70 “certification” to help sell the integrity of their services to potential customers.
The combination of SAS70’s misuse, newly adopted compliance standards and a desire to incorporate the International Auditing and Assurance Standards Board into U.S. auditing and attestation standards led to the demise of SAS70 and the birth of SSAE16. As of June 15, 2011, the new attestation standards, Standards for Attestation Engagement (SSAE) No. 16 (also known as Service Organization Control 1, or SOC 1) replaced SAS70. In addition to SOC 1, there are also two additional Service Organization Controls – SOC 2 and SOC 3 – which focus on the five Trust Services Principles (Security, Availability, Processing Integrity, Confidentiality and Privacy) adopted by the AICPA.
With the widespread use of cloud-related services, more companies want to know how their service providers are protecting and managing their data. This information is available in the details of the SSAE16/SOC 1 report which typically contains control objectives that relate to the types of assertions commonly embodied in the broad range of user’s entities’ financial statements. Many end-user organizations are asking one common question to satisfy their data security concerns: “Do you have a SSAE16/SOC1 report?”
Unfortunately, if the answer is yes, the customer typically checks a box and moves on to the next question at hand without fully understanding what the SSAE16/ SOC 1 report offers. A SOC1 report comes in two variations:
- Type I - a review of the design of controls as of a specified date
- Type II - a comprehensive test of design and operating effectiveness of controls throughout the specified period
What should I be looking for in a SSAE16/SOC 1 report as an end-user organization?
There are three key elements within the SOC1 report:
Management (at the service organization) provides a written assertion which includes:
- A description of the controls that were designed and implemented during the reporting period
- Confirmation that the controls are suitably designed to achieve the control objectives
Affirmation that the controls operated effectively throughout the period to achieve the control objectives (Type 2 only)
A risk analysis that identifies all risks that threaten the control objectives and describes the controls that have been established and implemented to mitigate those risks.
- The auditor’s opinion, which will be on the description of the controls in place throughout the whole reporting period, not just those at one point in time (for organizations subject to Type 2 reporting).
While a SOC1 focuses on controls over financial reporting, both SOC 2 and SOC 3 provide guidance on other internal controls that should be in place at a service organization. These reports specifically illustrate the controls related to the five Trust Services Principles and Criteria previously described.
Do SOC 2 and SOC 3 cover all five of the Trust Services Principles in each report?
Not necessarily. Service organizations only need to issue reports on those principles that relate to their operations and those that would best satisfy their customers’ needs and/or requests. The Service organization determines which of the five Trust Services Principles to report on.
Can a service organization have more than one SOC report performed?
Yes, a service organization may issue multiple SOC reports depending on the needs of their customers.
What is the right Service Organization Control (SOC) report for my organization?
If a service organization performs outsourced services such as payroll processing, loan servicing, data center/network monitoring services or Software as a Service (SaaS) that affect the financial statement of another company (the user organization), you will most likely be asked to provide an SSAE16/SOC1 Type II report. This is especially true if the user organization is publicly traded.
If your organization performs outsourced services that do not affect the financial statement of another company, a SOC 2 or SOC 3 would be the best approach.
What is the frequency of a SSAE16?
Annually. Financial auditors rely on the assentation and results of the SSAE16 audit, as a result, the service organization typically has their SSAE16/SOC1 audit prior to the end of the financial year.