The ever-growing emphasis on governance, risk management, and compliance has driven companies to focus on internal controls over all aspects of their operations. Service organizations providing outsourced services (IT, business processes, etc.) often engage a third party audit firm to attest to the design and operating effectiveness of these controls. For many years, the auditor’s report was governed by the American Institute of Certified Public Accountants’ (AICPA) Statement of Standards (SAS) No. 70 or “SAS 70.” However, a more comprehensive Statement of Standards on Audit Engagements (SSAE) 16 was developed to address evolving risks for a broader audience and the following three Service Organization Control (SOC) reports became effective June 15, 2011.
SOC 1 (f. SSAE 16) Report: Report on controls at a Service Organization relevant to User Entities’ Internal Control over Financial Reporting
SOC 1(formerly SSAE 16) reports are intended to address the needs of the entities utilizing service organizations (user entities) and the CPAs auditing the user entities’ financial statements (user auditors), but may be tailored to address a broader scope of risk and control. SOC 1 reports replace the legacy SAS 70 standard, and use is generally restricted to management of the service organization, user entities, and user auditors.
SOC 2: Report on controls at a Service Organization relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
SOC 2 reports are prepared in accordance with SSAE 16’s AT Section 101 and follow Trust Services Principles, specifically SysTrust and WebTrust, developed by the AICPA and Canadian Institute of Chartered Accountants (CICA). The reports include very detailed information on Service Organization controls relevant to security, availability, processing integrity of a system, or confidentiality and privacy of information. Primary stakeholders for SOC 2 reports are generally management of user entities but may also include additional parties at the discretion of the auditor and in accordance with the standard.
SOC 3 Report: Trust Services Report for Service Organizations
SOC 3 Reports follow the same Trust Services Principles and address similar scope as a SOC 2 but are less detailed and can be made available for public consumption. Service Organizations may share the more general use SOC 3 report with prospective customers or utilize it as a marketing tool to demonstrate that they have appropriate controls in place to mitigate risks related to security, privacy, etc. A SOC 3 seal may also be displayed on the Service Organization’s website.
There are also two types of Service Auditor’s reports: Type I and Type II. A Type I report documents the service organization’s description of control objectives and controls at a specific point in time (e.g., June 30, 2015) and whether stated controls are suitably designed to meet control objectives. A Type II report not only includes the service organization’s description of controls, but also includes verification of design and detailed testing of the operational effectiveness of controls over a six to 12 month period (e.g., October 1, 2014 to September 30, 2015). SOC 1 and 2 reports may be issued as either a Type I or a Type II while SOC 3 reports may only be issued as a Type II.