More Alphabet Soup for Internal Controls: SSAE 16, SOC 1, SOC 2 and SOC 3

Starting June 15, 2011, audits of the internal controls of a service provider for several key service areas will be based on a new audit standard, SSAE 16, promulgated by the American Institute of Certified Public Accountants (AICPA) rather than the currently prevailing SAS 70 standard, which was originally introduced in 1992.  Along with this new standard are new associated report standards — Service Organization Control (SOC) Reports, of which there are three:  SOC1, SOC 2 and SOC3.  


The increased attention in recent years given to an organization’s internal controls has somewhat naturally extended to the internal controls of service providers and support partners.  This is based partly on the simple notion that any given control environment is only as strong as its weakest link, so validation of controls implemented by significant service providers makes sense.  It’s long been customary where service provider controls are sought to be confirmed that a SAS 70 report would be requested from the service provider.  SAS 70 is principally a standard that allows an auditor to confirm that its clients’ service providers have adequate controls in place to the extent those controls have an impact on client financial statements.  While SAS 70 is not truly focused on specific controls or whether controls can be said to have been effective over a stated period, in the absence of anything more tailored the SAS 70 report was made to do double duty as a rough proxy for service provider security controls.  SSAE 16 and the new SOC reports were specifically intended to address this shortcoming.

SOC Reports

SSAE 16 — Standards for Attestation Engagements No. 16 — along with AT Section 101, Attest Engagements, provides for three types of Service Organization Control reporting options.  A  SOC 1 report focuses on a service provider’s controls to the extent they may impact a user’s financial statements.  A SOC 2 report  is a restricted report on controls related to specific compliance or operational concerns  in the following five trust service areas:  security, availability, processing integrity, confidentiality or privacy.  Both SOC 1 and SOC 2 options alow for a  Type 1 and a Type 2 report.  A Type 1 report  provides a description of the service provider’s system for the relevant compliance or operational area and the auditor’s opinion of the fairness of that description and its suitability.  A Type 2 report includes a description of the actual testing performed by the auditor as well as the test results.  Finally, a SOC 3 report addresses whether a service provider’s controls satisfied various criteria for the five trust services areas and may be generally distributed to third parties (not only users) and allows the display of a SOC 3 seal for the service provider’s website.

Report Uses

 We all know that the business environment is characterized by a substantial degree of interdependence among business organizations, particularly with service providers.   As it relates to the realm of technology, it’s both a best and a smart business practice for a technology service provider to make available – and to be expected to provide — to its client users additional assurances concerning the controls that the service provider has in place for security, availability, processing integrity, confidentiality or privacy concerns.  SOC 1, 2 and 3 reports readily address this business requirement on both of sides of that equation.  It may just be a happy coincidence, but the availability of these new SOC reports is right in step with the emergence of the cloud computing phenomenon and the numerous concerns that cloud-based technology services raise with the five key trust areas noted above. 

The takeaway:  expect to see SOC reports  become SOP before long.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: