make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Discover the Right SOC Report for Your Service Providers

02/02/2016  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

More service providers are recognizing the importance in completing the Service Organization Control (SOC) Report. It reinforces better controls and protocols, data protection, and regulatory compliance. Service providers recognize a SOC report can be the difference between winning and losing a client.

However, embarking on the SOC audit is not for the faint of heart. It shouldn’t be approached lightly – requiring attention to detail, good resources and time. Depending on your level of readiness and the report type, the process can take anywhere from a few months to a year or longer from start to finish for newbies. Mature organizations can expect a shorter timeline – assuming that they’ve already got the necessary controls, processes and technologies.

Which SOC Report is Right for You?

The first step to SOC completion is selecting the right report. Depending on your circumstances, one may be required over another. Created by the American Institute of Certified Public Accountants (AICPA), the SOC reporting is a thorough audit of a service organization’s (SO) controls (systems, processes and policies). This chart below can help you select the right one:

HOW TO IDENTIFY THE SOC REPORT THAT IS RIGHT FOR YOU

Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements? 

Yes

SOC 1 Report

Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation?    

Yes

SOC 1 Report

Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s IT systems? 

Yes

SOC 2 or 3 Report

Do you need to make the report generally available to non-customers? 

Yes

SOC 3 Report

Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests?

Yes

SOC 2 Report

No

SOC 3 Report

Source: http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/ServiceOrganization%27sManagement.aspx

Let’s delve a little deeper into what each entails:

Reports are restricted to the SO’s management, user entities, and user auditors.

  • SOC 1® Report – Report on Controls at a SO Relevant to User Entities’ Internal Control over Financial Reporting (SSAE 16) Prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16 Reporting on Controls at a SO, it’s intended to meet the needs of entities that use SOs (user entities) and the CPAs that audit the user entities’ financial statements (user’ auditors). Controls at the SO on the user entities’ financial statements are evaluated and the reports used to perform user entities’ financial statement audits.

    • Type 2 - report on fairness of management’s description of the SO’s system and control design and operating effectiveness to achieve related control objectives included in the description throughout a specified period.
    • Type 1 – report on presentation fairness of management’s SO’s system description and design suitability of controls to achieve the related control objectives included in the description as of a specified date. 

Similar to a SOC 1, there are two report types for this engagement: Type 2 – report on management’s description of an SO’s system and the design suitability and operating effectiveness of controls; Type 1 – report on management’s description of an SO’s system and the design suitability of controls. Report usage is generally restricted.

  • SOC 2® Report— Report on SO Controls Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy These reports are intended to meet the needs of a broad range of users – requiring information and assurance about the SO’s controls that affect the SO’s system security, availability, and processing integrity to process users’ data, and confidentiality and privacy of the information processed by these systems. Those using this report include: management or those governing user entities and the SO, SO customers, regulators, business partners, suppliers, and others with an understanding of the SO and its controls.  Use of these reports generally restricted to parties with this understanding. The AICPA Guide: Reports on Controls at a SO Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (under development) provides guidance for these engagements. These reports involve:

    • Organization oversight
    • Vendor management programs
    • Internal corporate governance and risk management processes
    • Regulatory oversight  
  • SOC 3 Report— Trust Services Report for SO
    These reports are designed to meet the user’s assurance requirements that the SO has controls related to its system security, availability, and processing integrity to process users’ information and their data confidentiality or privacy, but don’t have the need for – or the knowledge necessary to make effective use of – a SOC 2 Report. Prepared using the AICPA/Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy, they are general use reports and can be freely distributed.

    Unlike a SOC 1 report – which is only an auditor-to-auditor communication – the SOC 2 Report is generally restricted use (at the auditor’s discretion using guidance in the standard) and the SOC 3 Report (in all cases) will enable the SO to share a general use report that would be relevant to current and prospective customers or as a marketing tool to demonstrate that they have appropriate controls in place to mitigate risks related to security, privacy, etc.

The Trust Services Principles in SOC 2/3 Reports

Technology necessitates data security – particularly for information systems customers. The Trust Services Principles (TSP) and Criteria –the basis for SOC 2 and SOC 3 reports –target the control areas most important to customers of SOs that provide outsourced IT services. The TSP is comprised of five principles:

Principle Area

Principle Objectives

Security

System protected against unauthorized physical and logical access.

Availability

System available for operating and use as committed or agreed.

Confidentiality

Information designated “confidential” is protected as committed or agreed.

Processing Integrity

System processing is complete, accurate, timely, and authorized.

Privacy

Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP).

SOs can choose one or any combination of them according to their customers’ needs. 

Within each principle are specific required criteria. A large percentage of the criteria are common across each principle with the exception being Privacy – which is based on GAPP.  The criteria are organized into seven categories:

  1. Organization and Management
  2. Risk Management
  3. Logical & Physical Access
  4. Systems Operations
  5. Change Management

For the SOC 2 or SOC 3 report, the SO will identify controls that map to the required criteria in each area. The auditor then tests the controls as part of the attestation.

Conclusion

Understand your business scope before selecting your SOC report and criteria. With careful consideration to each step, you’ll be better positioned to attain attestation faster and more efficiently. Best of all, your customers will have greater confidence in your service providers.

Download the SOC Guide