SOC Examinations & Attestations

In a word, yes. For a SOC 1 report, service organizations are tasked with the responsibility of performing a risk assessment to define the different types of risks that are applicable to the specific service offering and infrastructure within scope.One of the products of the risk assessment is the identification of the control objectives (often stated as inverse statements of the risks) that will help address the risks. For example, if an identified risk for the logical infrastructure is “unauthorized logical access to data or systems”, then the related control objective would be to “ensure logical access to data and systems is authorized”.

Service organizations ultimately have the responsibility of defining which objectives are applicable to the scope of the service offering.

The subject matter of a control objective can be as broad or specific as needed by a service organization, and service auditors can provide service organizations with lists of possible control objectives for educational purposes. However, the service organizations ultimately have the responsibility of defining which objectives are applicable to the scope of the service offering.

The SOC 1 report enables organizations to present a strong position to its customers regarding their control environment relevant to processes that impact the client’s controls over financial reporting. Providing this report on an annual basis can deliver an additional level of assurance to your clients.

 The lack of a report may be detrimental as SOC 1 reports become standard for third party service organizations.

Conversely, the lack of a report may be detrimental as SOC 1 reports become standard for third party service organizations. Customers may cancel contracts and potential customers may not even consider the services of a third party service organization that has not undergone a SOC 1.

Customers may be lost before there is even a chance to win them.

While there is no “required” minimum duration for a SOC Type 2 reporting period, AICPA guidance has suggested the use of a period of at least 6 months.

The 6-month duration guidance primarily pertains to the belief that a user entity or user entity’s auditor may not find a Type 2 report useful if the span of the reporting period is less. However, service organizations do have the ability to use a reporting period of less than 6 months, if certain scenarios warrant the need. For example, a new service offering in need of a Type 2 report may be in existence for only 3 months, as of the time that a Type 2 report is needed. In that case, the Type 2 reporting period would be only 3 months for the initial Type 2 report but would expand to a 6-month reporting period for any subsequent Type 2 reports.

Under that scenario, the service organization would typically disclose the reason for the 3-month review period in the system description of the initial report.

YES! Without a SOC 1 report, an organization may have to entertain multiple audit requests from its customers and their respective auditors. Multiple visits from customers can place unnecessary constraints on the organization's resources. A SOC 1 report ensures that all customers and their auditors have access to the same information and in many cases the report will be enough to satisfy the client’s financial auditor’s requirements.

We often get the question - why obtain a SOC 1 report -- other than my client or prospect needs one immediately!

There are several key benefits, some are:

• Build trust and confidence with current and potential customers
• Attain independent, third party assessment of controls
• Provide a single examination to fulfill multiple customer requests
• Obtain confirmation that controls in place are as management expects
• Increase of market share

NOTE:  Schellman recently updated this content to be more in-depth and address how an organization may choose its report type. You can find that information here. 

There are two types of SOC 1 reports. The service organization is responsible for specifying whether or not a “Type 1” or “Type 2” will be performed.

A “Type 1” SOC 1 examination is performed when management requires a report on the fairness of presentation of the service organization’s internal controls over financial reporting and the suitability of the design of controls as of a specified date.

A “Type 2” SOC 1 examination is performed when management requires a report on the fairness of presentation of the service organization’s internal controls over financial reporting and the suitability of the design and operating effectiveness of controls over a period of time, typically six months.

Simply put, the SSAE No. 16 standard is the attestation standard used to create a SOC 1 branded report.

There are several SSAEs (Statements on Standards for Attestation Engagements) for various types of reports, number 16 happens to be the one that applies and is used to perform an attestation on a service organization controls likely to impact their customers’ internal controls over financial reporting. The terms are often times used interchangeably because of their relationship; but they are different.

When referring to the ‘audit’, there is no single right way to do it; however, probably the most technically accurate phrase would be ‘SSAE 16 examination’. When referring to the report, ‘SOC 1 report’ should be used.

The Service Organization Control (SOC) 2 examination is performed in accordance with AT Section 101 and based upon the Trust Services Principles and Criteria as outlined in TSP Section 100. Similar to a SOC 1 examination, service organizations have the ability to choose between a Type 1 examination or a Type 2 examination. SOC 2 reports differ from SOC 1 reports as a SOC 2 examination reports on the controls that are relevant to one or more Trust Services Principles as opposed to a SOC 1 examination that reports on the controls that are relevant to the user entities’ internal control over financial reporting.

The five Trust Services Principles include defined criteria that are specific to the particular principle. Service organizations should have controls in place designed to meet each of the applicable Trust Services Criteria prior to the SOC 2 examination.

The SOC 2 Trust Principles include:

• Security – The System is protected against unauthorized access, use or modification
• Availability - The system is available for operation and use as committed or agreed
• Processing Integrity - System processing is complete, valid, accurate, timely, and authorized
• Confidentiality - Information designated as confidential is protected as committed or agreed
• Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the entity’s commitments and with criteria set forth in GAPP

A SOC report is often requested by organizations (user entities) that receive services from a service organization (organization that provides services critical to the client) and their auditors (user auditors). When is a SOC report applicable? If a Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), they will more than likely be asked to provide an SOC Report, especially if the User Organization is publicly traded.

Some example industries include:

• Payroll Processing
• Loan Servicing
• Data Center/Co-Location/Network
• Monitoring Services
• Software as a Service (SaaS)
• Claims Processors

Not applicable examples:

• Non-service organizations
• Service organization controls other than ICFR (e.g. regulatory compliance or privacy)

There are different types of SOC reports and a company must identify which is best for them:
SOC 1 - controls relevant to user financial reporting
SOC 2 - concerns regarding security, availability, processing integrity, confidentiality or privacy
SOC 3 - Seal and easy to read report on control

Technology based service organizations have seen the SOC 2 report gain immense traction over the past couple years.

As a result, service organizations that have successfully completed SOC 1 examinations are now being asked [by their clients] to undergo a SOC 2 examination as well. Performing an additional examination can seem daunting, yet essential to maintain and potentially win new customers.

Fortunately many of the controls between the SOC 1 and SOC 2 may overlap. In these instances, the service auditor should be able to leverage the documents for certain controls/criteria used to complete the SOC 1 for use in the SOC 2. The necessary work required to complete the additional report will be incremental (assuming the time periods overlap).

In early 2011, the AICPA issues its Service Organization Control (SOC) reporting framework. The purpose of this framework is to differentiate between the common types of AICPA reports that service organizations are expected to provide to their customers. A SOC 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report.The scope of a SOC 2 report is determined by the client and the auditor utilizing one or more of the Trust Service Principals (TSP's), discussed above, as specified by the client to determine whether an information system operated by the client utilizes sufficient control activities to meet the specified criteria for the selected principles. The client also specifies whether a “Type 1” or “Type 2” examination will be performed for the SOC 2 report.

Schellman performs a “Type 1” SOC 2 examination when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design of controls as of a specified date.

A “Type 2” SOC 2 examination is performed when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design and operating effectiveness of controls over a period of time. The resulting report is a restricted use report that should only be used by third parties sufficiently familiar with the system.

In early 2011, the AICPA issues its Service Organization Control (SOC) reporting framework. The purpose of this framework is to differentiate between the common types of AICPA reports that service organizations are expected to provide to their customers. A SOC 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report.The scope of a SOC 2 report is determined by the client and the auditor utilizing one or more of the Trust Service Principals (TSP's), discussed above, as specified by the client to determine whether an information system operated by the client utilizes sufficient control activities to meet the specified criteria for the selected principles. The client also specifies whether a “Type 1” or “Type 2” examination will be performed for the SOC 2 report.

Schellman performs a “Type 1” SOC 2 examination when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design of controls as of a specified date.

A “Type 2” SOC 2 examination is performed when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design and operating effectiveness of controls over a period of time. The resulting report is a restricted use report that should only be used by third parties sufficiently familiar with the system.

The short answer is no. The long answer is that the AICPA considers disaster recovery forward looking controls which cannot be included in the audited section of the SOC report (which is a historical review). However, controls related to redundancy and availability can be included, but disaster recovery is typically included in Section 5 (Additional Info Provided by Management) or the service organization can consider other examinations (such as SOC 2, ISO certification, etc.) for assurance.

Controls related to redundancy and availability can be included, if appropriate, but disaster recovery is typically included in Section 5 (Additional Information Provided by Management) or the service organization can consider other assessments that discuss disaster recovery (such as SOC 2, ISO certification, etc.).

During the planning phase for an audit, many organizations perform an extensive and formal review of their policies and procedures to determine if they meet the audit guideline requirements.

Having formal, concise, and comprehensive policies and procedures that describe the internal processes of a company is critical to having a successful audit.

Policies and procedures have such a significant impact on the internal happenings of a business because they provide the foundation of internal operations.

For example, a formal policy and procedure document regarding the data backup and replication process is meant to provide the affected personnel (i.e. systems administrators) with a clear and concise understanding of the desired business objective. Employees need to have a guiding force to provide them direction in executing their job to a sufficient level. To best support this, policies and procedures should have a policy owner. The role of the owner is to review and approve the policy on an at least annual basis to ensure the document is accurate and reflects current business processes.

Another important aspect is having the policies and procedures easily accessible to employees.

It is more and more common for companies to have a corporate intranet that acts as a central storage device for employees to easily access the policy and procedural documents. If a company does not have a corporate intranet, then on an annual basis the most up to date policy and procedural documents should be sent out to all employees.

In summary, policies and procedures provide the framework for a company's entire operations, thus it is important for companies to document and continuously revise their policies according to their current business operations.

Yes, distribution of the report is not restricted; however the authorized use or reliance on the report is restricted to specified users. These specified users include the customers (user entities) and their financial statement auditors (user auditors) that used the in-scope system or service as of the report date (for a Type 1 report) or during the review period (Type 2). A prospective user may not place any reliance on the SOC 1 report relevant to their Internal Controls over Financial Reporting.

A SOC report must include a complete set of control objectives relevant to internal controls over financial reporting (SOC 1) or to the applicable trust services criteria (SOC 2). Exclusion of relevant ITGC controls may result in a qualification for fairness of presentation and or control design. This would need to be discussed during the planning activities with the service auditor to determine the overall impact to the SOC report.

My SOC 2 auditor says that we must include security checkpoints in our SDLC. If we have really good security process in place and review the code for security issues, why do we still need segregation of duties?

Because application security only works when it's integrated with the broader security context of your environment. A user or system that can span between production and development increases the attack surface of your environment and allows for potential attacks that may have nothing to do with unauthorized changes to production code.

The International Auditing and Assurance Standards Board’s (IAASB) International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization, became effective in 2011. The standard allows accounting firms to issue attestation reports on user entities’ internal control over financial reporting for service organizations that have international operations..

A U.S. certified public accounting firm cannot issue a standalone ISAE 3402 report. Rather, U.S. certified public accounting firms can issue a combined report on Statement on Standards for Attestation Engagements (SSAE) No. 16, based on standards set by the American Institute of Certified Public Accountants (AICPA), and the ISAE 3402. The AICPA utilized standards from the IAASB for the SSAE No. 16 standard, and so the standards for SSAE No. 16 reports include the standards required for an ISAE 3402 report.

It is not required for a U.S. service organization with international operations or clients to complete an ISAE 3402 report as long as their SSAE No. 16 report includes all required standards. The service organization has the option of disclosing that their report is a combination SSAE No. 16 and ISAE 3402 report, if they meet all the standards.