What's the risk?

Businesses are increasingly outsourcing functions to service organizations (third-party providers)—such as the outsourcing of entire technology and operational functions as part of cloud computing relationships. These outsource connections and relationships present new and emerging risks across the operational, compliance and financial spectrum. Consider that a customer (user entity) of a service organization is exposed to the risks of the service organization as well as those of the service organization's customers, clients and users.

Headlines regarding security, privacy breaches and fraud highlight the need for managing risk and tightening internal controls. So do regulatory actions (the Sarbanes-Oxley Act, Basel II, HITECH and HIPAA among them). Organizations must demonstrate they have addressed issues related to security, availability, processing integrity, confidentiality and privacy for today's world. Users need assurance that an organization's internal controls are capable of minimizing exposure to such risk.

AICPA's  SSAE 16 attestation standard, AT 101, Attestation Engagements and Trust Services Principles form the basis for SOC reporting AICPA’s  three SOC reports, SOC 1, SOC 2 and SOC 3 provide CPAs  with the necessary framework and tools to examine controls and help management understand risks and provide objectives evaluation of the effectiveness of internal controls.

The SOC flexible reporting approach tackles internal controls over financial reporting (ICFR) as well as operational and compliance related risks. In all three SOC reports, the CPA firm/auditor provides a reasonable level of assurance regarding relevant controls.

As in SSAE 16 attestations, SOC1 and SOC2 engagements are offered in two types of examination reports related to time, and controls testing/results:

Type 1 –The service auditor expresses an opinion on whether the description is fairly presented (does it describe what actually exists?) and whether the controls included in the description are suitably designed as of a specified date. Controls that are suitably designed are able to achieve the related control objectives if they are in place and are designed properly to mitigate risks.

Type 2 – The service auditor's report contains the same opinions that are included in a Type 1 report, but also includes an opinion on whether the controls were operating effectively throughout a specified period. Controls that operate effectively will provide reasonable assurance that control objectives that were intended will be achieved.

Why Sparrow, Johnson & Ursillo?

We are fully conversant and experienced in SOC reporting. Very importantly, we can identify the right report for your organization and its specific needs. And we provide the objective, detailed analysis you need to assure stakeholders and to support management decision making. After evaluating your business needs and IT environment, SJU provides the appropriate SOC reporting service.

SOC 1

SOC 1 reports focus solely on service organization controls relevant to an audit of a user entity's financial statements. SOC 1 engagements are performed under SSAE 16. It is intended to be a restricted use report.

Reporting on management’s assertion regarding its information system plus the system’s controls, SOC 1 evaluates internal controls by focusing on technical risk-based design of controls  plus system transparency. When a service organization's controls are likely to be relevant to a user entity's (customer) internal control over financial reporting, SOC1 is the reporting choice. It is often part of a financial statement audit. It is a restricted use report that can be delivered to other auditors, company management and to customer (user entity) companies. Among other features,  SOC1 is:

• Assertion based—SOC1 uses an attestation standard rather than an audit standard, which means the CPA auditor examines an organization based on a documented assertion supplied by the  organization’s management
• ICFR focus—the report is only used when the service organization's services and controls affect the internal control over financial reporting for the organization's users
• Management’s system description must relate to the specified attestation period (Type 1 or Type 2)

Risk based—management is responsible for identifying risks that threaten achievement of control objectives stated in the system description, and then deploying controls to mitigate those risks

Example: An employee benefit plan uses a bank trust department for investment purposes. A user  auditor of the benefit plan would need information on the plan’s internal controls over financial reporting as well as controls in place at the bank trust. A SOC1 report, conducted by a CPA service auditor, would provide the user auditor with the needed assurance.

SOC 2

SOC 2 engagements address controls at the service organization that relate to operations and compliance. Unlike SOC1, it is not intended to provide assurance on internal controls over financial reporting. It is based on AICPA's Trust Services Principles, Criteria and Illustrations, and AT 101, Attestation Engagements. It, too, is intended to be a restricted use report.

A SOC 2 report is an attestation-based examination of controls involving the security, availability, processing integrity, confidentiality and privacy of an organization’s IT system. With a level of transparency similar to a SOC1 report, a SOC 2 report on management's assertion regarding its information system plus the system's controls. This restricted use report addresses one or more of the Trust Services Principles domains:

1. Security: the system is protected against unauthorized access (both physical and logical)
2. Availability: the system is available for operation and use as committed or agreed
3. Processing Integrity: the system processing is complete, accurate, timely, and authorized
4. Confidentiality: confidential information is protected as committed or agreed
5. Privacy: personal information is collected, used, retained, disclosed and destroyed in conformity with organization’s privacy policy (based on Generally Accepted Privacy Principles (GAPP) established by the AICPA and CICA)

Example: A cloud computing service provider can assure its customers via a SOC 2 report that it maintains the confidentiality, availability and security of customer information with adequate internal controls.

SOC 3

SOC 3 engagements address controls at the service organization that relate to operations and compliance.

Also known as a Trust Services Report for service organizations, SOC 3 relates to the effectiveness of a service organization’s system controls and how well the organization is complying with its control objectives. It is also structured to report on management’s assertion regarding its information system plus the system’s controls. Like SOC 2, it is not for financial reporting purposes, but for operations and compliance. It is guided by AT 101 and Trust Services Principles, and criteria can address any of the five principles.

• SOC 3 differs mainly from SOC 2 in that it: Is less transparent and more general in nature and provides broader insight into security, confidentiality, processing integrity, availability and privacy provided by internal controls based on  publicly available and published AICPA Trust Services Principles and Criteria.
• Provides only the service auditor's opinion on whether the system achieved the trust services criteria and includes no description of tests or results of the test on the relative controls.
• Is an unrestricted use report, can be freely distributed for marketing purposes, and allows for display of a SOC 3 seal, for example, on a website.

Example: A health care claims management/processing company needing to provide compliance with HIPPA regulations could assure regulators and potential customers of its system and business process safeguards over sensitive patient information with a SOC3 report. Because the SOC3 rules allow the service organization to display/distribute a SOC 3 report, the company could include the “SOC3 Report: SysTrust for Service Organizations” seal on its website and include a link to the actual report. 

To learn more, feel free to visit the Service Organization Control FAQ