This article provides an overview of the SOC 1, SOC 2, and SOC 3 reports, explaining when and why to use each one.
From SAS to SOC
To best understand SOC reports, it’s helpful to know why the AICPA created them. The past several years have seen rapid growth in the number of businesses outsourcing various functions to service organizations such as cloud computing providers. Examples of traditional services provided by service organizations include payroll processing and medical claims processing; relatively newer services include human resources, document management, workflow, and tax processing. The growth in outsourcing has been fueled by a number of factors, including the recent economic recession, pressure to improve operational costs, an increasingly virtual workforce, and a lack of internal resources to support a process or function.
The rise of cloud computing has played a key role in the number of businesses that outsource functions to service organizations. Entities that use service organizations are referred to as “user entities” in SOC terminology. Because the cloud consists of servers accessible through the internet, cloud computing providers can offer user entities access to applications, data storage, and numerous other computing functions on a pay-as-you-go basis. This model often proves more convenient and cost effective for user entities, which are happy to shed the cost, time, and risk associated with having to buy software licenses and pay for the purchase and maintenance of servers.
In many of these outsourcing situations, user entities submit personal or confidential customer information to service organizations for processing or storage. A breach in privacy practices may occur while such information is at a service organization. Even though the breach may occur while the information is at the service organization, the user entity continues to retain responsibility for protecting such information. Such liability concerns and the growth in cloud computing have elevated the marketplace demand for assurance regarding the confidentiality and privacy of information processed by a service organization’s system.
The old SAS 70 standard was designed to assist CPAs reporting on controls at a service organization that affect user entities’ financial statements, not for reporting on controls at a cloud computing provider that affect the privacy of customer data. However, in the absence of a better option, SAS 70 was improperly used as the framework for such assessments, and terms such as “SAS 70 certified” were inappropriately used by many service organizations to indicate that their system controls had been found to be reliable and trustworthy.
Because of the confusion and misuse of SAS 70, the AICPA replaced it with the SOC framework.
The ‘flavors’ of SOC
As part of the Auditing Standards Board’s clarity project, the AICPA split SAS 70 into two new standards: the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) for service auditors (effective for SSAE 16 reports for periods ending on or after June 15, 2011) and a new SAS for user auditors (effective for 2012 year-end audits).
Like SAS 70, the SSAE 16 standard focuses on guidance for auditors assessing financial statement controls at service organizations. This is the basis of the SOC 1 report.
The SOC 2 and SOC 3 reports both look at a service organization’s controls relevant to the security, availability, or processing integrity of a service organization’s system or the privacy or confidentiality of the information the system processes. These reports are based on AT Section 101, Attest Engagements, and the controls are evaluated using the trust services principles and criteria.
SOC 1 and SOC 2 are similar to SAS 70 in that both have type 1 and type 2 report options, as explained in more detail below.
Source: AICPA
SOC 1
- In its simplest form, SOC 1 is a report on controls at a service organization relevant to a user entity’s internal control over financial reporting. A type 1 report focuses on a description of a service organization’s system and on the suitability of the design of its controls to achieve the related control objectives included in the description, as of a specified date. A type 2 report contains the same opinions as a type 1 report with the addition of an opinion on the operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. A type 2 report also includes a detailed description of the service auditor’s tests of controls and results.
- Use of the report is restricted to the management of the service organization, user entities, and user auditors.
SOC 2
- Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
- Uses the trust services criteria.
- Similar to SOC 1 in that a type 1 or type 2 report is available.
- Includes a description of the service auditor’s tests of controls and results.
- Use of the report “generally” is restricted.
SOC 3
- This is a trust servicesreport for service organizations.
- Covers the same subject matter as SOC 2.
- Does not include a description of the service auditor’s tests of controls and results. Also, the description of the system is less detailed than the description in a SOC 2 report.
- A seal can be issued on a service organization’s website. The Canadian Institute of Chartered Accountants (CICA) administers a seal program for these engagements (if the CPA is licensed for the seal by the CICA)..
- The use and distribution of the report is NOT restricted.
Here’s a quick look at the users, content, and purpose of SOC reports.
Source: AICPA
The AICPA has approved two logos that service organizations and CPAs may use in marketing their services related to SOC engagements. These logos may be used in promotional material or displayed on a website. Note that these are not seals to be displayed on the website of a service organization that has received a SOC 3 report within the past year from a CPA licensed for the seal by the CICA.
For CPAs who provide SOC 1, SOC 2, or SOC 3 engagements, the only logo approved for use is:
For service organizations that have received a SOC 1, SOC 2, or SOC 3 report issued within the past year, there is also only one logo that may be used. The logo approved for use is:
For more information, the AICPA has resources available at AICPA.org/SOC.