In October, I posted an article on the various alternatives for CPA attestation reports. This past week, the AICPA issued its guidance on Service Organization Controls (SOC) 2 reports and an update to that post was in order. Here is what the newly released SOC 2 guidance states:
- In order to qualify as an SOC 2 examination, the scope of the assessment must include one or more of the Trust Services Principles.
- The resulting reports are titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy”, with the actual title adjusted according to the selected principle(s).
- Unlike SOC 1, SOC 2 reports are meant to meet a broader range of use cases where organizations provide services that do not impact their customers’ controls over financial reporting.
- Like SOC 1 (SSAE 16) examinations, SOC 2 reports can assess subject matter as of a point in time (Type 1) or over a period of time (Type 2).
- Like SOC 1 (SSAE 16), SOC 2 reports include an auditor’s opinion letter, management’s assertion letter, a system description, and in the case of a Type 2 report, the tests of controls.
Regarding the first bullet above, SOC 1 has the necessary flexibility to allow the audit firm to examine all of the controls in place that are likely to be relevant to the customers’ internal controls over financial reporting.
SOC 2 is more prescriptive and, at least in part, sets forth the subject matter of the assessment by requiring the use of the Trust Services Principles (i.e., Security, Availability, Processing Integrity, Confidentiality, and Privacy) that are selected by the service organization. It could be said that the resulting SOC 2 report is a hybrid of the SysTrust examination scope and the SOC 1 reporting format. Some exceptions do apply, whereby a service organization can be exempt from certain criteria and there is flexibility to include additional subject matter.
It is also worth noting that the AICPA SOC 2 guide includes a separate appendix relating to considerations for attestations of cloud computing providers; making reference to research and controls models published by the Cloud Security Alliance.
Service organizations considering any of the Service Organization Controls (SOC) reporting options should gain an understanding of the frameworks and resulting reports. In many cases, service organizations are likely to conclude that multiple SOC reports are appropriate, especially when combined with ISO 27001 certification.
About the Author
Ryan Buckner is a Principal at Schellman & Company, Inc. Ryan currently leads Schellman’s SOC 1 practice and has been a leading advocate for the adoption of SOC 1 and SOC 2 solutions by cloud service providers. Ryan also is an AICPA-approved and nationally listed SOC Peer Review Specialist for SOC 1 and SOC 2 examinations. Having completed over 800 service audits. Ryan is one of the most experienced service auditors in the United States.More Content by Ryan Buckner