Service Organization Control (SOC) Reporting, which consists of SSAE 16 SOC 1, SOC 2, and SOC 3 reporting, was developed by the American Institute of Certified Public Accountants (AICPA) as a comprehensive replacement to the now historical, one-size fits all SAS 70 auditing standard. SOC 1 reporting utilizes the SSAE 16 professional standard, while SOC 2 and SOC 3 incorporate the AT 101 standard, ultimately resulting in three (3) different types of reporting options for today’s service organizations.
Though there are a number of critical elements that helped shape and ultimately form the new AICPA SOC reporting framework, it's equally important to note that each of the three (3) SOC options are aimed at very specific needs and reporting requirements for service organizations themselves. In short, thankfully, the SAS 70 auditing standard is gone, replaced by a new and dynamic – and much better aligned – options for reporting on controls at service organizations. NDNB provides SOC audits for businesses all throughout North America. Let’s take a look at how each of the three (3) SOC options size up in today’s market and who their intended audience is:
Take note of the following important SOC 2 guidelines for helping ensure that service organizations undertake a comprehensive, efficient, and cost-effective assessment process with the AICPA Service Organization Control (SOC) reporting framework.
1. Properly Scope your SOC 2 Assessment. With Five (5) Trust Services Principles (TSP) to choose from, it’s critically important to properly scope a SOC 2 assessment for ensuring customer expectations are met, along with not putting your organization through unnecessary testing procedures. Many service organizations actually undertake compliance with all five (5) Trust Services Principles, yet a large number only test against one or a few of the TSP. This is important to note because substantial cost considerations can be had when reducing the number of TSP for audit scope.
SOC 2 guidance is a must have for service organizations undertaking a SOC 2 Type 1 or Type 2 assessment for purposes of today’s growing regulatory compliance mandates. Because SOC 2 is gaining momentum as a viable reporting option when compared to SOC 1 SSAE 16 reporting, it’s critical to learn about the following 5 important elements for auditing success, provided by NDNB Accountants & Consultants.
1. SOC 1 vs. SOC 2. When the AICPA put for their Service Organization Control (SOC) framework, they made a clear distinction between SOC 1 and SOC 2 reporting. SOC 1 reports utilize the well-known SSAE 16 standard, while SOC 2 reporting relies on the little-known AT Section 101 standard put forth by the AICPA. SOC 1 SSAE 16 reports are technically those geared towards service organizations with a credible nexus to the ICFR concept – Internal Controls over Financial Reporting, while SOC 2 reporting is aimed towards technology driven service organizations. Data centers, SaaS entities, managed services providers – these are all excellent examples of SOC 2 candidates.
6. Obtain the SOC 2 Book from the AICPA. The American Institute of Certified Public Accountants (AICPA) offers a comprehensive book that discusses all technical aspects of SOC 2 reporting. Titled “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)”, published March, 2012, and available for purchase from cpa2biz.com.
7. Truly understand what the Trust Services Principles are. The five (5) TPS’s can seem overwhelming at first, but they’re relatively easy to understand and are quite straightforward. More specifically, the TSP’s are about having documented policies, procedures, and processes in place that speak to one’s daily operational environment. NDNB Accountants provides industry leading SOC 2 audit report policy and procedure templates, so contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more. While SOC 2 audit reports are generally seen as technical, it’s very important to understand the true intent of the TSP’s – and that’s having documented policies, procedures, and processes in place.
SOC 2 audit reports are being issued on a wide variety of service organizations – mostly technology oriented businesses, such as data centers, Software as a Service (SaaS) entities, and others – thus it’s important to gain a stronger understanding of AICPA SOC 2 audit reports. Learn the essentials about SOC 2 reports with the following 10 “must know” items, brought to you by NDNB Accountants & Consultants:
1. Understand the difference between SOC 1 and SOC 2 and the overall Service Organization (SOC) Control reporting platform. Keep in mind that SOC 1 SSAE 16 reporting is “technically” geared towards service organizations having a clear nexus with internal controls relating to financial reporting – a concept known as ICFR. SOC 2, however, was developed for use by the continued explosive growth of technology oriented service organizations – data centers, SaaS, managed service providers, etc. In short, SOC 2 is gaining strong traction in the marketplace as a viable and worthy audit report for many business today. It was initially largely overshadowed by SOC 1 SSAE 16 reports – as recently as 2012 – but that’s not the case anymore.
SOC 2 reports are steadily gaining widespread significance in today's world of third-party assurance reporting, effectively breaking the mold of a one-size fits all standard that started with SAS 70 and continued with SSAE 16. SOC 2 audits, though initially overshadowed by SOC 1 SSAE 16 reporting, are becoming a viable "go to" reporting option for today's complex, growing, and ever-changing service organizations. As such, companies seeking SOC 2 compliance should take note of the following important points regarding the AICPA Service Organization Control (SOC) 2 reporting framework, provided by NDNB Accountants & Consultants, a nationally recognized boutique CPA firm providing high-quality, competitive fees for SOC 1, SOC 2, and SOC 3 compliance.
