Recent Updates to Service Organization Control (SOC) Audit Reports by J. Stephen Nouss, CPA
Posted on October 23, 2017 by Steve Nouss
As more businesses outsource operation-critical applications and services to third-party providers, they demand assurances that the vendors with whom they choose to work abide by the highest levels of security, availability, processing integrity, confidentiality and privacy requirements. They need to know that their partners’ offerings provide a solution for improving business processes. In today’s environment, they also need confidence that their partners have in place the appropriate controls to manage data security, compliance and regulatory risks. After all, if a business customer’s confidential data is exposed due to a security breach at the service organization level, it is the business that will be held responsible and risk loss of customers and reputation.
To help service organizations build trust among its business partners, many are turning to independent CPA firms to audit and prepare formal reports about their Service Organization Controls (SOC). These SOC audit reports demonstrate that service providers employ best practices for monitoring controls and managing risks in a changing business environment. For example, the reports are applicable to software as a service (SaaS) cloud-based applications; cloud computing and data storage; payroll processing, billing and collection services; as well as financial institutions and health care providers that must abide by customer confidentiality and data privacy provisions of the Gramm–Leach–Bliley Act (GLBA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA), respectively.
While the American Institute of CPAs (AICPA) created the SOC framework some time ago, it adopted new guidance in May 2017 to replace the previous “Statement on Standards for Attest Engagements” (SSAE 16) in favor of a simpler SOC 1 report on “Concepts Common to all Attestation Engagements” (SSAE 18). By consolidating multiple attestation standards that clarify the assurance services provided by independent CPA firms, the new guidance includes the following principles:
- Service organizations must more effectively monitor the controls of their subservice organizations. An example of a subservice provider would be Amazon Web Services, which provides third-party remote infrastructure and cloud computing services. The stricter rules require new processes for vendor management services to reconcile output reports, test controls at the subservice organization, make regular site visits to the subservice location and monitor external communications, such as customer complaints about the organization.
- SOC reports must include “Complementary Subservice Organization Controls.” This requires service organizations to include controls performed by subservice organizations into the design of their overall controls and control system descriptions.
- Service organizations must provide auditors with more evidence to support the accuracy and completeness of their controls along with management’s sign off on their assertions.
- SOC auditors must conduct more in-depth risk assessments to better identify the risks of material misstatement in an engagement and the level of audit work to be completed at the subservice organization.
SOC reports will continue to address the AICPA’s Trust Service Principles of security, availability, processing integrity, confidentiality and privacy, and provide businesses with assurances that service providers have in place good internal controls around the interrelated components of the control environment, risk management, information and communication, monitoring, and control activities. Additionally, SOC examinations provide service organizations with an opportunity to enhance their business processes and ensure that they meet industry best practices. The three types of SOC reports include:
- SOC 1 Reports address service organizations’ internal controls surrounding their reporting of financial information. The two types of a SOC 1 report include those that substantiate “Suitability of Design at a Point in Time” (Type 1 Report), and those that will substantiate “Suitability of Design and Operating Effectiveness over a Period of Time” of typically six to 12 months (Type 2 Report).
- SOC 2 Report address the design and effectiveness of service organizations’ controls related to security, availability, processing integrity, confidentiality and privacy, both at a point in time (Type 1) and over a period of time (Type 2).
- SOC 3 Reports also address the security, availability, processing integrity, confidentiality and privacy of service organizations’ systems. However, the information is provided in a summarized format, which service organizations may use as a broad marketing statement attesting to the design or operating effectiveness of their controls.
Berkowitz Pollack Brant’s Business Consulting Group is registered with the AICPA to provide service businesses with SOC audits and reports that help improve transparency and build trust among service organization’s current and prospective customers.
About the Author: Steve Nouss, CPA, is chief consulting officer with Berkowitz Pollack Brant, where he provides profit-enhancing CFO services, operational reviews, enterprise risk management, internal audit and anti-fraud services for businesses of all sizes. He can be reached at the CPA firm’s Ft. Lauderdale, Fla., office at (954) 712-7000 or via email at firstname.lastname@example.org.