SOC 1, SOC 2, SOC 3, SSAE 18 Audit Services
Outsourcing in on the rise despite increasing cybersecurity breaches. In today’s challenging world of Blockchain, AI, IoT, and Cloud, you need to be a step ahead of your competitors. Think of the AICPASOC report as your company’s “Security Best Practices”. You need to demonstrate a level of confidence that your organization can handle your clients’ most confidential and valuable information, have the procedures and controls in place to provide the required assurance. SOC stands for System and Orgnization Controls (formerly Service Organization Controls). SSAE 18, SOC compliance reports are often used for Vendor Risk Management and for SOX compliance. A SOC 2 Type 2 compliance report or SOC 1 Type 2 audit report provides the much needed assurance of operative effectiveness of controls.
Data Security & Privacy are increasing concerns for many organizations. This is especially important in cases where data is regulated or sensitive as in case of compliance requirements for HIPAA, PCI, CCPA, EU-GDPR etc. Cloud environments are adding to the complexity of the issue. Privacy laws are being enforced that lead to heavy fines or penalties. SSAE 18 SOC 2 compliance reports are now commonly used as SOC 2 for Cloud Data Security & Privacy controls such as the CSA's Cloud Control Matrix (CCM), C5, GDPR, CCPA or other privacy controls.
Formerly known as SAS 70, then SSAE 16 and now SSAE 18, these reports are being used for several years. The AICPA SOC Auditor is also known as Service Auditor. The SOC 1 compliance report mirrors the ISAE 3402 and SOC 2 audit report mirrors ISAE 3000. A major difference between SOC 1 and SOC 2 is the Financial and Non-Financial Data. SOC 1 is mainly used for Internal Controls over Financial Reporting( ICFR).The SOC Auditor (Service Auditor) can issue a joint SOC and ISAE report. SSAE stands for Statement on Standards for Attest Engagements. All SSAE standards including SSAE 16 got merged in to SSAE 18. This is the major difference between SSAE 16 and 18. A SOC compliance report is technically an "Attest" and not "Audit" report.The SOC reports could be carve-in or carve-out depending on sub service organization controls are included or not. More detials for SOC 1 or SOC 2 Type 2 Audit.
The SOC compliance engagements can be split into 2 main requirements
SOC 1 OR ISAE 3402
Address Controls Related to User Entities’ Internal Control over Financial Reporting (“ICFR”). It is used by service organizations affecting the financial reporting of user organizations.
Reports are for User Auditor, & Management of User and Service Organization.
SOC 2 OR ISAE 3000
A SOC 2 complaince report conveys trust and assurance to users of the system that the service organization has deployed an effective control system to mitigate operational and compliance risks that the system may represent to its users. It addresses the System and Organization Controls(SOC) using Trust Services Criteria (TSC) for service organizations to apply and report on controls that may affect users of their service. A SOC 2 report demonstrates an independent auditor’s review of a service organization’s application of criteria related to one or more of the TSC, which are:
Security: The system is protected against unauthorized access (both physical and logical).
Availability: The system is available for operation and use as committed or agreed.
Processing Integrity: System processing is complete, accurate, timely, and authorized.
Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with TSC criteria.These were formerly known as the Generally Accepted Privacy Principles(GAPP) by AICPA.
SOC 2 Reports are for Knowledgeable Parties.
SOC 3 REPORT
A SOC 3 engagement is similar to a SOC 2 engagement in that the practitioner reports on whether an entity (any entity, not necessarily a service organization) has maintained effective controls over its the system with respect to TSC. A SOC 3 report may not have details of the controls in the report. It is commonly used in B2C environments.
SOC TYPE 1 vs TYPE 2 REPORTS
- The report is as of the point in time (i.e., as of 12/31/200X)
- Looks at the design of controls – not operating effectiveness
- Limited use & considered for information purposes only
- Useful for purposes of limited reliance by user auditors
- Generally performed in the first year that a service organization has a SOC reporting requirement.
- The report covers a period of time, generally not less than 6 months and not more than 12 months
- Differentiating factor: Includes tests of operating effectiveness
- May provide the user auditor with a basis for reducing the assessment of control risk below maximum
- Requires more internal and external effort
- Identifies instances of noncompliance of the stated control activity
- More emphasis on evidential matter
A TYPE 2 REPORT CURRENTLY PROVIDES THE MOST REASONABLE ASSURANCE FOR THE FOLLOWING REASONS:
- SOC Type 2 report can cover the entire year to provide operating effectiveness of the controls in the place
- It is a Third Party Period- of-Time assessment and so has Accountability
- Since it is a period of time assessment, it is more like continuous compliance with low risk and high reliability
- Can include Sub Service Organization Controls using the Carve-in appraoch
- Most other assurance programs or audits are usually, at a point in time
- SOC 2 Plus reports can cover specific mandates e.g. Cloud Security and Privacy
- Provides a high-reliability SOC Seal by AICPA