Previously (SAS 70 has been replaced by SSAE 16. What does that mean for service providers and their customers?) I outlined the similarities and differences between SAS 70 and SSAE 16 audits. Now I will highlight the reporting options available with SSAE 16 and the additional auditing/reporting options the American Institute of CPAs (AICPA) developed for IT outsource services, e.g. data centers and cloud hosting providers.
SSAE 16 is the new audit standard for “Reporting on Controls at a Service Organization” (including data centers) within the United States.
SSAE offers three Service Organization Controls (SOC) reporting options: SOC 1, SOC 2 and SOC 3. According to the AICPA the reporting options are “designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. Each type of SOC report is designed to help service organizations meet specific user needs.”
SOC 1 is known as the “Report on Controls at a Service Organization Relevant to User Entities’ Internal Controls over Financial Reporting.” In-essence, this is what SAS 70 was supposed to be — reporting on financial controls at a service organization as an auditor-to-auditor communication tool. It was never intended to be a data center centric audit.
A SOC 1 report is the basic SSAE 16 report, just like SAS70, which issues either a Type 1 or Type 2 report. A Type 1 report is an auditor’s opinion on the accuracy and completeness of the service provider’s management description of the system or service including the appropriateness of the providers’ controls for a specific date in time. The Type 2 includes everything from a Type 1 report AND it verifies the effectiveness of the controls for a specified period of time; a calendar year, for example.
Ok, you just went through a SSAE16 audit and have a SOC1 report. So now you’re SSAE 16 or SOC 1 “certified, right? No you’re not. Because, a service provider does not receive a certification after they have been SSAE16 audited. So, don’t call yourself “Certified” (just yet …).
To address the need for a standard approach to auditing of non-financial controls (e.g. IT centric data center controls) and the need for a certification process, the AICPA created the SOC2 and SOC3 reporting standards.
SOC 2 – the “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” – is an audit of non-financial controls related to compliance and operations of a service provider. This report is used by a providers’ management, its customers and prospects, business partners and other organizations associated with a provider as a tool to assess the control environment of a service provider.
This report, as well as the SOC3, is built upon a set of pre-defined controls outlined within the AICPA Trust Services Principles and Criteria. The AICPA developed these criteria for evaluating the design and operating effectiveness of controls at a data center or other service organizations. The AICPA defines the Trust Principles as five attributes of a reliable system as being:
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing integrity – System processing is complete, accurate, timely, and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the Canadian Institute of Chartered Accountants.
SOC 3 – the “Trust Services Report for Service Organizations” – is a general use report that can be distributed and promoted with the SOC 3 seal on the service organization’s website. It also reports on non-financial controls related to compliance and operations at a service organization listed under the SOC 2 description.
So, what’s the difference? Certification!
Now with a SOC3 report, data center and other cloud providers can say they are certified once an auditor issues the opinion that that the service provider has achieved the trust services criteria. Then and only then can the provider display the “SOC 3: SysTrust for Service Organizations” seal.
What the AICPA has delivered is a real win for both the service provider community and their customers. Both get clarity on control standardization. Moreover, the service provider receives a certification and the customers get what they’ve been seeking – a control benchmark to use when comparing data center operators and outsource service providers.
For more information about the:
- SOC Reports Information for Service Organizations visit:http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/serviceorganization’smanagement.aspx
- AICPA Trust Services Principles and Criteria, visithttp://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/Pages/Trust%20Services%20Principles—An%20Overview.aspx
- SysTrust for Service Organization seal program, visit www.webtrust.org