Service Organization Control (SOC) Reporting, which consists of SSAE 16 SOC 1, SOC 2, and SOC 3 reporting, was developed by the American Institute of Certified Public Accountants (AICPA) as a comprehensive replacement to the now historical, one-size fits all SAS 70 auditing standard. SOC 1 reporting utilizes the SSAE 16 professional standard, while SOC 2 and SOC 3 incorporate the AT 101 standard, ultimately resulting in three (3) different types of reporting options for today’s service organizations.
Though there are a number of critical elements that helped shape and ultimately form the new AICPA SOC reporting framework, it's equally important to note that each of the three (3) SOC options are aimed at very specific needs and reporting requirements for service organizations themselves. In short, thankfully, the SAS 70 auditing standard is gone, replaced by a new and dynamic – and much better aligned – options for reporting on controls at service organizations. NDB provides SOC audits for businesses all throughout North America. Let’s take a look at how each of the three (3) SOC options size up in today’s market and who their intended audience is:
Take note of the following important SOC 2 guidelines for helping ensure that service organizations undertake a comprehensive, efficient, and cost-effective assessment process with the AICPA Service Organization Control (SOC) reporting framework.
1. Properly Scope your SOC 2 Assessment. With Five (5) Trust Services Principles (TSP) to choose from, it’s critically important to properly scope a SOC 2 assessment for ensuring customer expectations are met, along with not putting your organization through unnecessary testing procedures. Many service organizations actually undertake compliance with all five (5) Trust Services Principles, yet a large number only test against one or a few of the TSP. This is important to note because substantial cost considerations can be had when reducing the number of TSP for audit scope.
SOC 2 guidance is a must have for service organizations undertaking a SOC 2 Type 1 or Type 2 assessment for purposes of today’s growing regulatory compliance mandates. Because SOC 2 is gaining momentum as a viable reporting option when compared to SOC 1 SSAE 16 reporting, it’s critical to learn about the following 5 important elements for auditing success, provided by NDB Accountants & Consultants.
1. SOC 1 vs. SOC 2. When the AICPA put for their Service Organization Control (SOC) framework, they made a clear distinction between SOC 1 and SOC 2 reporting. SOC 1 reports utilize the well-known SSAE 16 standard, while SOC 2 reporting relies on the little-known AT Section 101 standard put forth by the AICPA. SOC 1 SSAE 16 reports are technically those geared towards service organizations with a credible nexus to the ICFR concept – Internal Controls over Financial Reporting, while SOC 2 reporting is aimed towards technology driven service organizations. Data centers, SaaS entities, managed services providers – these are all excellent examples of SOC 2 candidates.
6. Obtain the SOC 2 Book from the AICPA. The American Institute of Certified Public Accountants (AICPA) offers a comprehensive book that discusses all technical aspects of SOC 2 reporting. Titled “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)”, published March, 2012, and available for purchase from cpa2biz.com.
7. Truly understand what the Trust Services Principles are. The five (5) TPS’s can seem overwhelming at first, but they’re relatively easy to understand and are quite straightforward. More specifically, the TSP’s are about having documented policies, procedures, and processes in place that speak to one’s daily operational environment. NDB Accountants provides industry leading SOC 2 audit report policy and procedure templates, so contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more. While SOC 2 audit reports are generally seen as technical, it’s very important to understand the true intent of the TSP’s – and that’s having documented policies, procedures, and processes in place.