Gaining Assurance Over Third Party Processors: SOC 1, SOC 2 & SOC 3 Reporting
By John McLaughlin, Partner, Assurance Services
Third party processing organizations (a.k.a., service organizations) spanning a variety of business sectors, including distribution, financial services, technology, life sciences, services and healthcare, are increasingly being requested by their customers (a.k.a., user organizations) to obtain assurance reports on controls related to the integrity of certain processes and security over sensitive information being handled by those third parties.
Many user organizations realize that they continue to be responsible for the activities conducted by the third party processing organization regarding outsourced aspects of their businesses. The customers of these user organizations are looking for greater assurance over how their information is used and protected. A good deal of this concern has been driven by regulations and standards such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Graham Leach Bliley Act (GLB), the Meaningful Use standards of the Centers for Medicare and Medicaid Services (CMS), and others including various state and international privacy laws. Also, as the number of data breaches continues to climb, cybersecurity and the protection of data gain increasing importance to many organizations.
Evolution of SOC 1 and SOC 2
Statements on Standards for Attestation Engagements No. 16 (SSAE 16) is an update to the previous standard, known as Statement on Auditing Standards No. 70 (a.k.a., SAS 70), created in the early 90's by the American Institute of Certified Public Accountants (AICPA), in which an auditor would provide assurance regarding specific control objectives over transactions and processes related to financial reporting. Service Organization Control No. 1 (SOC 1) reports are conducted using this standard and are based upon the achievement of control objectives, as well as underlying control activities established by management of the service organization. Depending upon the nature of the services provided, control objectives often include a combination of IT General Control objectives as well as financial processing control objectives.
A separate set of standards was developed in 2001 by the AICPA to establish requirements for CPAs examining and issuing reports on controls over matters not related to financial reporting. These requirements are codified within AT Section 101, Attestation Engagements, of the AICPA's attestation standards. Reports issued under AT 101 often utilize the AICPA's Trust Services Principles, which relate to security, availability, processing integrity, confidentiality, and privacy.
Lately, many of the audits utilizing the Trust Services Principles and issued under AT 101 that are gaining prominence in the marketplace include Service Organization Control No. 2 (SOC 2) and Service Organization No. 3 (SOC 3) reports.
Each of the five Trust Service Principles is supported by dozens of criteria, and service organizations may choose to comply with one, several or all five Principles.
|Trust Services Principles Overview|
Type 1 vs. Type 2 Reports
Within both SOC 1 and SOC 2 engagements, the auditor may issue two types of reports, namely a Type 1 or Type 2 report. Specifically, a Type 1 report addresses management's description of the system and the suitability of the design of controls as of a specific date. A Type 2 report addresses management's description of the system, the suitability of the design, and the operating effectiveness of controls over a period of time (e.g., six months). The demand for Type 2 reports is far outpacing the demand for Type 1 reports, as customers of third party service organizations are seeking a greater level of assurance that controls have been in place and working for an entire fiscal year (i.e., 12 months) of processing activity.
Revisions to SOC 2 Standard
While the Trust Services Principles were developed nearly 15 years ago, they were relatively ignored until just a few years ago as the demand for assurance related to security, privacy and confidentiality intensified. A greater number of organizations have been seeking assurance over these concepts primarily based upon the rapidly changing technology and business environment associated with the use and exchange of sensitive information, especially Personally Identifiable Information (PII) and Protected Health Information (PHI).
Revisions to the SOC 2 standard introduced by the AICPA during 2014 and 2015 were intended to increase the clarity of certain criteria underlying all five Principles and eliminate the redundancy among the criteria. As a result, the revised SOC 2 Standard introduced the use of "Common Criteria" that are applicable to all five Principles and help to streamline compliance with the standard. The revised standard also enhanced the concept of risk assessment, including potential threats such as those arising from the use of vendors and other third parties.
The AICPA has indicated the most recent Exposure Draft from June 2015 will go into effect for periods ending after March 15, 2016; however, earlier implementation will be permitted once the standard is finalized. For more information related to the Trust Services Principles Exposure Draft, June 15, 2015.
SOC 3 Reports
SOC 3 reports are designed to meet the needs of third party users who want some level of assurance on the controls at a service organization related to the SysTrust Principles, but may not have the need for or the knowledge necessary to make effective use of a SOC 2 report. SOC 3 reports are prepared using the AICPA's and CPA Canada's (formerly Canadian Institute of Chartered Accountants) Trust Services Principles, yet contain much less detail than what is contained within a SOC 2 report. SOC 3 reports are considered "general use reports" and, therefore, can be freely distributed by the service organization. For instance, a Third Party Service Organization may not wish to share the proprietary details of a SOC 2 report with the public, nor a prospective customer in certain cases. In this instance, a SOC 3 report will be made available.
It is clear that more people are reading SOC reports - in detail. For a variety of reasons, primarily stemming from the need for improved information security and control, SOC reports are receiving newfound attention from the users of the reports. But more importantly, the substance of SOC reports is under increased scrutiny from a wider audience of report users, including senior and mid-level management, internal auditors, attorneys, and certain regulatory authorities such as the PCAOB and SEC. While receiving an unqualified opinion obviously matters quite a bit, the form, substance and quality of the pages that follow matter just as much.