Starting June 15, 2011, audits of the internal controls of a service provider for several key service areas will be based on a new audit standard, SSAE 16, promulgated by the American Institute of Certified Public Accountants (AICPA) rather than the currently prevailing SAS 70 standard, which was originally introduced in 1992. Along with this new standard are new associated report standards — Service Organization Control (SOC) Reports, of which there are three: SOC1, SOC 2 and SOC3.
The increased attention in recent years given to an organization’s internal controls has somewhat naturally extended to the internal controls of service providers and support partners. This is based partly on the simple notion that any given control environment is only as strong as its weakest link, so validation of controls implemented by significant service providers makes sense. It’s long been customary where service provider controls are sought to be confirmed that a SAS 70 report would be requested from the service provider. SAS 70 is principally a standard that allows an auditor to confirm that its clients’ service providers have adequate controls in place to the extent those controls have an impact on client financial statements. While SAS 70 is not truly focused on specific controls or whether controls can be said to have been effective over a stated period, in the absence of anything more tailored the SAS 70 report was made to do double duty as a rough proxy for service provider security controls. SSAE 16 and the new SOC reports were specifically intended to address this shortcoming.
SSAE 16 — Standards for Attestation Engagements No. 16 — along with AT Section 101, Attest Engagements, provides for three types of Service Organization Control reporting options. A SOC 1 report focuses on a service provider’s controls to the extent they may impact a user’s financial statements. A SOC 2 report is a restricted report on controls related to specific compliance or operational concerns in the following five trust service areas: security, availability, processing integrity, confidentiality or privacy. Both SOC 1 and SOC 2 options alow for a Type 1 and a Type 2 report. A Type 1 report provides a description of the service provider’s system for the relevant compliance or operational area and the auditor’s opinion of the fairness of that description and its suitability. A Type 2 report includes a description of the actual testing performed by the auditor as well as the test results. Finally, a SOC 3 report addresses whether a service provider’s controls satisfied various criteria for the five trust services areas and may be generally distributed to third parties (not only users) and allows the display of a SOC 3 seal for the service provider’s website.
We all know that the business environment is characterized by a substantial degree of interdependence among business organizations, particularly with service providers. As it relates to the realm of technology, it’s both a best and a smart business practice for a technology service provider to make available – and to be expected to provide — to its client users additional assurances concerning the controls that the service provider has in place for security, availability, processing integrity, confidentiality or privacy concerns. SOC 1, 2 and 3 reports readily address this business requirement on both of sides of that equation. It may just be a happy coincidence, but the availability of these new SOC reports is right in step with the emergence of the cloud computing phenomenon and the numerous concerns that cloud-based technology services raise with the five key trust areas noted above.
The takeaway: expect to see SOC reports become SOP before long.