An Introduction to SOC 2

IMGCAP(1)]In mid-2011, the American Institute of CPAs established a Service Organization Controls reporting framework in hopes of providing the public and CPAs with a clearer understanding of the reporting options for service organizations.

Additionally, the AICPA sought to reduce the risk of misuse of SSAE 16, which recently superseded SAS 70, as a mechanism for reporting on security, compliance, and operational controls.

To achieve these goals, the AICPA released the following reporting framework:

• SOC 1: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (also known as SSAE 16)
• SOC 2: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
• SOC 3: SysTrust for Service Organizations

Of the three, SOC 2 is the only new type of examination. Despite being new, customers are already expecting, if not requiring, service organizations to undergo SOC 2 examinations. In many cases, these expectations are on top of existing SOC 1 (SSAE 16) obligations.

To fully understand SOC 2, one would need to read the 150-page professional guide on the topic. Realizing that is not feasible for most practitioners, I have prepared the following 10 points, which are designed to provide CPAs with a conversational knowledge of SOC 2:

1. SOC 2 examinations are designed to provide organizations that outsource the operation, collection, processing, transmission, storage, organization, maintenance and/or disposal of their information to third parties (i.e., “service organizations”) a mechanism for assessing governance and oversight at those service providers. Unlike SOC 1 (SSAE 16), the focus is on controls related to security, compliance and operations, rather than controls relevant to the financial reporting of customers.

2. SOC 2 reports allow service organizations to communicate information about their services and the suitability of the design and operating effectiveness of their controls to prospective and existing customers in a well-known format that is nearly identical to an SSAE 16 report.

3. SOC 2 examinations report on controls that mitigate the risks of achieving the following “Trust Services” principles:

Security: The system is protected against unauthorized physical and logical access.
Availability: The system is available for operation and use as committed or agreed.
Processing Integrity: System processing is complete, accurate, timely, and authorized.
Confidentiality: Information designated as confidential is protected as committed or agreed.
Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in GAAP issued by the AICPA and the Canadian Institute of Chartered Accountants.

4. All five Trust Services principles are not required to be assessed. Service organizations may select the Trust Services principle(s) that best meet their reporting objectives. This decision is based on the relevance of each principle to their services, as well as the interests of their customers.

5. When selecting a Trust Services principle, the service organization essentially asserts compliance with the principle and its underlying “criteria.” Before selecting a principle, it is absolutely critical that service organizations review the principles and underlying criteria to confirm an ability to meet the criteria. It is worth noting that, of the five Trust Services principles, the privacy principle is particularly involved and should be selected with due care.

6. There are two types of SOC 2 examinations known as “type 1” and “type 2.” Both types of reports contain an auditor’s opinion letter, management’s assertion, as well as a system description prepared by management that describes the controls implemented to meet the criteria, among other topics. For a type 1 examination, the auditor opines on whether management has fairly described its system and whether its controls are suitably designed to meet the applicable Trust Services criteria as of a point in time. Type 2 examinations report on those same topics, but the auditor also tests the controls and opines on the operating effectiveness of those controls during a specified review period (normally 6 – 12 months in duration). Type 2 reports are the most prevalent of the two report types.

7. There are no bright-line rules defining the specific controls that must be implemented in order to meet the criteria of selected principles. For example, criterion 3.4 of the security principle states: “Procedures exist to protect against unauthorized access to system resources.” The criteria provide several illustrative controls that could be used to meet the criterion, including the use of virtual private networks, firewalls and intrusion detection systems. However, none of the illustrative controls are required. Service organizations have full discretion to present their own internal controls without issue so long as those controls meet the criteria for the selected Trust Services principles.

8. The scope of a SOC 2 examination can be modified based on the services provided. For example, otherwise applicable Trust Services criterion may be omitted if they are not applicable to the service that is the subject of the engagement. Similarly, the scope of a SOC 2 examination can be expanded to report on topics not specifically covered by the SOC 2 guidance. This gives service organizations the ability to request that the auditor also report on compliance with other frameworks, such as the security requirements of HIPAA or the Cloud Security Alliance's Cloud Controls Matrix within a single SOC 2 report.

9. SOC 2 is not a certification; however, service organizations that complete a SOC 2 examination are entitled to display the AICPA’s service organization logo on their promotional material and Web site for 12 months following the date of the report. Unlike SOC 3 (SysTrust), there is no licensing fee to use the logo, but its use is contingent on compliance with the terms, conditions and guidelines set forth by the AICPA.

10. Although SOC 2 is very similar in form to SOC 1 (SSAE 16), the two have distinctly different purposes, and one cannot be used as substitutes for the other. Furthermore, it is entirely possible that a service organization would have a valid need for a SOC 1 and a SOC 2 examination depending on the nature of its services.

For those seeking additional information on this topic, a detailed list of criteria for the security, availability, processing integrity and confidentiality principles can be found here, and the official SOC 2 guide is available for purchase here.

Chris Schellman is the president of BrightLine, one of the largest providers of SOC services in the United States, and a CPA firm accredited as a PCI QSA Company and ISO 27001 Registrar. He is a licensed CPA, CISSP and PCI QSA, and has contributed to nearly 1,000 SSAE 16 / SAS 70 examinations.

For reprint and licensing requests for this article, click here.
Audit Accounting standards
MORE FROM ACCOUNTING TODAY