Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, more commonly known as a SOC 2 report, is a reporting option for service organizations under the new American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) framework. With three (3) reporting options available under the new SOC framework (SOC 1, SOC 2 , and SOC 3), the AICPA has made great strides in replacing an aging auditing standard (SAS 70) with a vastly improved and more up-to-date service organization reporting platform.
SOC 2 and AT Section 101
As such, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, will utilize AT Section 101 as the professional standard for issuing SOC 2 reports. In short, AT Section 101 provides a framework for performing and reporting on all attestation engagements, for which these "attestation standards" are a series of general provisions and requirements that provide overall guidance along with a broad-based framework for the accounting and auditing profession for the purposes of providing "attest" services to organizations.
Entities that would opt for SOC 2 reports are those that report on controls other than those likely to be relevant to user entities’ internal control regarding financial reporting (i.e., controls outside that of financial reporting), such as the following:
• Cloud Computing
• Software as a Service (SaaS)
• Software Development Organizations
• Data Centers
• Web Hosting Providers
• Managed Services Providers
• Call Centers
SOC 2 and Trust Services Principles
What's also critically important to note about Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy is that these very attributes form the basis of what is known as the SysTrust/WebTrust audit and assurance services, more generally known as the Trust Services Principles (TSP); a broad-based set of principles and criteria put forth jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Specifically, the TSP attributes, technically known as "principles", are defined in the following manner:
• Security: The system is protected, both logically and physically, against unauthorized access.
• Availability: The system is available for operation and use as committed or agreed to.
• Processing Integrity: System processing is complete, accurate, timely, and authorized.
• Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
• Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
SOC 1, SOC 2 and SOC 3 Primer
For a quick primer, please note that SOC 1 reports, which utilize the SSAE 16 professional standard, are geared for reporting on service organizations having established a true and credible "link" or nexus to the internal controls over financial reporting (ICFR) concept. SOC 2 reports, which utilize the AT Section 101 professional standard, are for examining and reporting on non-financial controls, such as those technology and security related entities listed above. Similarly, the SOC 3 reporting standard, which also utilizes the Trust Services Principles (TSP), is a viable reporting option for reporting on today's growing technology service providers.
Other essential components that are critical to gaining a comprehensive understanding of the new AICPA SOC framework include the following subject matter:
• SOC 1 Reports
• Introduction to AT Section 101
• Understanding the AICPA SOC Framework
• Service organization requirements, such as the description of its "system" and the written statement of assertion.
NDNB is a boutique CPA firm established with the mission to provide superior knowledgeable audit services on a nationwide platform. For further information relevant to your organization’s compliance needs for SOC 1, SOC 2, SOC 3 and many other regulatory requirements, please contact us directly at 800-277-5415, ext. 706.
