SOC Compliance and SSAE 18 Audit Services
One of the most important reports for a third party (vendor) and SOX compliance is the SOC 1 or SOC 2 Type 2 Audit. The SOC 1 or SOC 2 Type 2 audit (attest) report provides for SOX compliance and assurance on controls. SOC compliance reports are part of AICPA's SSAE 18 Attest Standard that is now used for the SOC 1, SOC 2, and SOC 3 reports. Since 1992, these reports have been known as SAS 70 audit reports. In 2011 the SOC 1 was brought under SSAE 16 Standard and SOC 2 under AT 101. Finally, in 2017 the SSAE 16 along with other SSAE standards got merged into one SSAE 18, bringing all SOC 1, SOC 2, and SOC 3 reports under SSAE 18. This is the main difference between SSAE 16 vs 18 pertaining to SOC compliance reports.
SOC now stands for "System and Organization Controls". The definition got changed in 2017 from the earlier one as "Service Organization Controls" as these compliance reports were mainly being used for vendor(third-party) compliance audits as these organizations are also service organizations. The SSAE 18 Auditor or SOC Auditor auditing these service organizations is called Service Auditor.
A SOC 2 Type 2 or SOC 1 Type 2 compliance report provides for operating effectiveness of controls over a period such as 6 months or 12 months in contrast to certifications such as ISO/IEC 27001 that provides a certificate which is valid for 3 years. For missing periods immediately after the report, some User Entities or User Auditors may insist on a SOC Bridge Letter. A SOC compliance report can be about 100 pages or so depending on the controls reported on. The SOC Audit report comprises of all the applicable controls or criteria that are reported by the SOC Auditor (Service Auditor). The SOC audit report is now of 4 sections, Section 1 is the Auditors Opinion, Section II is the Management Assertion, Section III is the Description Criteria or System Description and Section IV is a detailed list of controls as per applicable TSC 2017 criteria or the applicable control objectives along with the results of the auditors' test of controls. The SOC report can be qualified or unqualified.The SOC audit reports could be carve-in or carve-out depending on sub-service organization controls are included or not.
A SOC compliance report can only be issued only by a licensed CPA, ideally a CPA firm, as a SOC Auditor, also known as a Service Auditor. A SOC 2 Type 2 report mirrors the ISAE 3000 and the SOC 1 Type 2 report mirrors the ISAE 3402, based on the International Standard on Assurance Engagements. A Licensed CPA Firm such as ours can issue a joint SOC and ISAE report. To issue a SOC compliance report for a public (listed) entity, the CPA Firm must be registered with the PCAOB. A CPA signing the SSAE 18, SOC compliance report and the audit team needs to be Independent as this is an AICPAAttest Engagement. More on SOC 1 Type 2 Audit, More on SOC 2 Type 2 Audit.
The SOC engagements can be split into 2 main requirements
SOC 1 OR ISAE 3402
Address Controls Related to User Entities’ or Clients Internal Control over Financial Reporting (“ICFR”) or Financial Data. SOC 1 report is used for SOX compliance by service organizations affecting the financial reporting of user organizations.
Reports are for User Auditor, & User Management and Service Organization.
SOC 2 OR ISAE 3000
A SOC 2 report provides assurance that the service organization has deployed an effective control system to mitigate operational and compliance risks of its system. It addresses the System and Organization Controls(SOC) using Trust Services Criteria (TSC) for service organizations to apply and report on controls that may affect users of their service. A SOC 2 report demonstrates an independent Service Auditor’s review of a service organization’s application of criteria related to one or more of the TSC, which are:
Security or Common Criteria: The system is protected against unauthorized access (both physical and logical).
Availability: The system is available for operation and use as committed or agreed.
Processing Integrity: System processing is complete, accurate, timely, and authorized.
Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with TSC criteria. These were formerly known as the Generally Accepted Privacy Principles(GAPP) by AICPA.
SOC 2 Reports are for Knowledgeable Parties.
SOC 3 REPORT
A SOC 3 engagement is similar to a SOC 2 engagement in that the practitioner reports on whether an entity (any entity, not necessarily a service organization) has maintained effective controls over its the system with respect to TSC. A SOC 3 report may not have details of the controls in the report. It is commonly used in B2C environments.
SOC TYPE 1 vs TYPE 2 REPORTS
SOC TYPE 1
- The report is as of the point in time (i.e., as of 12/31/200X)
- Looks at the design of controls – not operating effectiveness
- Limited use & considered for information purposes only
- Useful for purposes of limited reliance by user auditors
- Generally performed in the first year that a service organization has a SOC reporting requirement.
SOC TYPE 2
- The report covers a period of time, generally not less than 6 months and not more than 12 months
- Differentiating factor: Includes tests of operating effectiveness
- May provide the user auditor with a basis for reducing the assessment of control risk below maximum
- Requires more internal and external effort
- Identifies instances of noncompliance of the stated control activity
- More emphasis on evidential matter
A TYPE 2 REPORT CURRENTLY PROVIDES THE MOST REASONABLE ASSURANCE FOR THE FOLLOWING REASONS:
- SOC Type 2 compliance report can cover the entire year and the effectiveness of the controls in the place can be reported
- It is a Third Party Period- of-Time assessment and so has Accountability
- Since it is a period of time assessment, it is more like continuous compliance with high reliability
- Most other assurance programs or audits are usually, at a point in time
- Covers a Comprehensive TSC Framework
- SOC 2 Type 2 Plus compliance reports can cover specific mandates e.g. Cloud Security and Privacy
- Provides a high-reliability SOC Seal by AICPA
- More on SOC 2 Type 2 vs ISO/IEC 27001, 27701(PIMS).