New Audit Standards for Privacy and Data Security Controls: SOC 2 and SOC 3 Reports
For nearly 20 years, the SAS 70 audit has been a mainstay of business process outsourcing contracts. Covering the gamut from transaction processing and sales force automation to cloud computing and beyond, these contracts typically require service organizations to submit to periodic SAS 70 audits. This practice enables a customer to determine whether its service organization is managing the outsourced process effectively and securely.
As a result of recent changes at the American Institute of Certified Public Accountants (“AICPA”), which originally published the SAS 70 audit standards in 1992, this time-worn framework is now obsolete.
In short, the reign of the one-size-fits-all SAS 70 ended on June 15, 2011. AICPA inaugurated a new era in which the nature of the outsourced business process will determine the type and manner of audit, and audit reports will include written assertions prepared by service organization management. Though the market likely will take some time to adjust to these changes, they should result in increased transparency and accountability. They could even mitigate the risks inherent in outsourcing engagements. In any event, they likely will enable a customer and its service organization to more fairly allocate such risks by considering carefully at the outset of their relationship what types of controls should be implemented based on the nature of the outsourced process.
- AICPA effectively replaced SAS 70 with a new set of standards, entitled Statement on Standards for Attestation Engagements No. 16 (“SSAE No. 16”), which is at least as rigorous as SAS 70. SSAE No. 16 is effective for reports covering periods ending on or after June 15, 2011.
- SSAE No. 16 reports are one of three types of so-called service organization control reports (“SOC Reports”). Although all SOC Reports are prepared according to similar standards, they cover different service organization controls, and generally are subject to varying use restrictions:
- An SSAE No. 16 report is known as a SOC 1 Report. Like its predecessor SAS 70 (contrary to conventional wisdom), a SOC 1 Report is specifically designed to cover controls that affect the customer’s own financial statements. SOC 1 Reports do not cover controls relating to other subject matter (e.g., they do not cover controls relating to data privacy and security). Use of SOC 1 Reports is restricted to customer auditors and customer and service organization management.
- A SOC 2 Report covers controls relating to security, availability, processing integrity, confidentiality, and/or privacy. Use of SOC 2 Reports generally is restricted to service organization and customer personnel and professionals working on their behalf.
- A SOC 3 Report is an abbreviated SOC 2 Report. It is designed for customers who want assurance with respect to controls covered in a SOC 2 Report, but do not need the level of detail provided in a SOC 2 Report. Use of SOC 3 Reports is unrestricted.
In SOC 1 and SOC 2 engagements, the service organization’s auditor may generate either a “type 1” report or a “type 2” report. A type 2 report generally provides more assurance than does a type 1 report. In both type 1 and type 2 reports, the service organization must describe its system (comprising physical and IT infrastructure, software, personnel, procedures, and data), the nature of the service performed, how the service is performed, and the service organization’s controls over the service and related control objectives.
In a type 1 report, the service auditor expresses an opinion on whether the service organization’s description describes what actually exists and whether the described controls are suitably designed. A type 2 report includes the same opinions that are included in a type 1 report, and also includes an opinion on whether the controls operated effectively during the applicable period.
The most significant difference between the legacy SAS 70 and the new SOC 1 or SOC 2 Report is the new requirement that service organization’s management prepare a written assertion (a) about the fairness of the description of the service organization’s system, (b) about the suitability of the design of the controls, and (c) in a type 2 report, about the operating effectiveness of the controls. This assertion either will accompany the service auditor’s report or will be included in the service organization’s description of its system.
Following are several links to helpful AICPA resources—