SOC 2 Type 2 compliance reporting is becoming much more common these days, due in large part to the continued growth of technology oriented service organizations requiring regulatory audits. The old days of a one-size-fits all standard – hence SAS 70 – are long gone, so say hello to SOC 2 Type 2 compliance and the following five (5) important points you need to know about, provided by NDNB Accountants & Consultants, a nationally recognized audit and compliance CPA firm.
1. SOC 1 vs. SOC 2. SOC 1 SSAE 16 assessments are those generally conducted on service organizations with a clear nexus with financial reporting, while SOC 2 assessments are targeted more towards technology oriented service organizations. This is due to the technical and prescriptive language offered by the American Institute of Certified Public Accountants (AICPA) - developers of the SOC standards. Even with that said, you’ll find many technology companies being issued SOC 1 reports. Additionally, SOC 2 reporting is becoming quite well-known and is being received favorably in the marketplace, a clear break from its recent obscurity.
2. SOC 2 Reporting and the Trust Services Principles (TSP). SOC 2 Type 2 Compliance entails the use of what’s known as the Trust Services Principles (TSP) – a set of professional attestation and advisory services containing essential criteria based information for assessing service organizations. Unlike SOC 1 reporting, which uses control objectives, SOC 2 Type 2 reporting is thus “criteria” based. Additionally, there are five (5) Trust Services Principles which can be used for reporting, which consist of the following:
• Security: The system is protected, both logically and physically, against unauthorized access.
• Availability: The system is available for operation and use as committed or agreed to.
• Processing Integrity: System processing is complete, accurate, timely, and authorized.
• Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
• Privacy: The service organization’s privacy policies and practices.
3. Type 1 vs. Type 2. In the never-ending alphabet soup of regulatory compliance, it’s important to distinguish between SOC 2 Type 1 assessments and SOC 2 Type 2 assessments. For an ounce of clarity, just remember that SOC 2 Type 1 reports are issued for a specific date, such as August 27, 20xx, while SOC 2 Type 2 reports cover what’s fundamentally known as a “test period”, which is generally a minimum of six (6) months. For purposes of growing regulatory compliance mandates, most clients will request that service organizations undertake an actual SOC 2 Type 2 assessment, as it ultimately provides greater evidence of one’s internal control environment.
4. Obtain a Fixed Fee with all Supporting Documents. The key to undertaking SOC 2 Type 2 compliance in an efficient and cost-effective manner is obtaining a fixed fee from a well-skilled CPA firm, and one that also offers all necessary information security expertise. Remember, SOC 2 Type 2 compliance is heavily dependent upon validating a service organization’s procedures, and related processes. Expect SOC 2 Type 2 compliance to continue to expand and grow in the coming years as more technology-minded businesses opt for this type of reporting. Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, to obtain a competitive, fixed fee for SOC 2 Type 2 compliance.
The phrase "AT 101 SOC 2" is often kicked around in today's world of regulatory compliance. With that said, it's important to gain a strong factual understanding of AT 101 SOC 2, as this will ultimately help service organizations learn more about many of their responsibilities for reporting on controls.
First and foremost the "SOC 2" component of the "AT 101 SOC 2" phrase is associated with the AICPA Service Organization Control (SOC) reporting framework, for which there are three (3) reporting options that are offered: SOC 1, SOC 2, and SOC 3. SOC 1 reports, which are very common and well-known, utilize the SSAE 16 attestation standard, while SOC 2 and SOC 3 reports utilize the AT 101 professional standard. So what exactly is a professional standard, for purposes of SOC 1, SOC 2 and SOC 3 reporting? It's a publication put forth by the AICPA with a series of provisions, statements and explicit guidance on how to perform a particular engagement.
Essential "AT 101 SOC 2" Subject Matter You Need to Know About
• AT 101 is the professional standard used for issuing SOC 2 reports.
• SOC 2 is part of the AICPA Service Organization Control (SOC) reporting framework.
• SOC 2 reports can be that of Type 1 or Type 2.
• SOC 2 reports are generally geared towards many of today's technology driven service organizations, such as Software as a Service (SaaS) entities, data centers, managed service providers, and others.
• SOC 2, though not as well-known as SOC 1, can be a viable reporting option at times.
Important SOC 1 SSAE 18 Information
• SSAE 18 is the professional standard used for issuing SOC 1 reports.
• SOC 1 is also part of the comprehensive AICPA SOC reporting platform.
• SOC 1 reports can be that of Type 1 or Type 2.
• The SSAE 16/SSAE 18 is very well-known, due in large part that it replaced the longstanding SAS 70 auditing standard, which was originally put forth in April of 1992.
You can learn more about AT 101 SOC 2 by visiting the official SOC Report Guide, a comprehensive website dedicated to the AICPA Service Organization Control (SOC) reporting framework.
Additionally, the following notable topics are worth learning more about also:
NDNB – North America’s Leading Provider of SOC 1 (SSAE 16/SSAE 18) and SOC 2 Audits & Assessments
Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, more commonly known as a SOC 2 report, is a reporting option for service organizations under the new American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) framework. With three (3) reporting options available under the new SOC framework (SOC 1, SOC 2 , and SOC 3), the AICPA has made great strides in replacing an aging auditing standard (SAS 70) with a vastly improved and more up-to-date service organization reporting platform.
What is AT Section 101? This seems to be a question that many people are asking these days and for good reason. AT Section 101 has become increasingly relevant for reporting on controls at service organizations due to the advent of the AICPA Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2, and SOC 3 reports. While SOC 1 reporting, which uses the SSAE 18 professional standard, is geared toward reporting on controls relevant to financial reporting, SOC 2 and SOC 3 reports are designed for reporting on controls other than those likely to be relevant to user entities’ internal control regarding financial reporting (i.e., controls outside that of financial reporting).
In short, SOC 2 and SOC 3 reports are to be issued under the AT Section 101 attest standard, while SOC 1 reports are to utilize the SSAE 18 attest standard.
Understanding the "Attestation" Element of Auditing
So what specifically is AT Section 101, which stands for "Attestation Standards" as put forth in section 101 of the codification standards? You'll first need to gain a technical understanding of what "Attestation Standards" are along with what "section 101" is. To begin, "Attestation Standards" are a series of general provisions and requirements that provide overall guidance along with a broad-based framework for the accounting and auditing profession for the purposes of providing "attest" services to organizations. In the world of public accounting, the term "attest" is generally regarded as that of asserting to, affirming to, and expressing an opinion on specific subject matter.
The "Attestation Standards" serve as further guidance and support for the larger and ever-growing professional services being provided by CPAs today outside the traditional financial statement auditing arena. More simply stated, accountants are not just conducting financial statement audits or preparing tax returns, rather, they are increasingly involved in many other areas of general assurance services, for which there needs to be a meaningful, relevant, and broad-based framework to rely upon.
General Provisions regarding an Attest Engagement
• An attest engagement is to be performed by a practitioner that has adequate training in the actual attest function being performed, adequate knowledge of the subject matter and that the subject matter at hand is actually capable of being evaluated against suitable and available criteria.
• The practitioner is to be independent in fact and in mental attitude when conducting an assurance engagement and due care should be used in planning, performing, and supervising the engagement.
• The practitioner should adhere to the provisions set forth for Standards of Fieldwork and for Standards of Reporting, as may be relevant, for which you can learn more about at the Public Company Accounting Oversight Board, simply known as the IR.
Regarding "section 101", which is the section number within the codification standards, it is essentially a section that provides a framework for "attest" engagements performed by practitioners. Moreover, this section applies to engagements in which a certified public accountant (CPA) in the practice of public accounting is engaged to issue or does in fact issue an examination, a review, or an agreed-upon procedures report on subject matter, or an assertion about a particular subject matter.
AT 101 and SOC 2 - Huge Growth Expected
AT Section 101 will play a pivotal role in reporting on controls at service organizations due to the large and ever-growing number of entities in today's "cloud computing" and technology business sectors. Organizations providing Software as a Service (SaaS), managed services, cloud computing, and hosts of other technology related services may most likely be issued SOC reports under the AT Section 101 attest standard.
Service Organization Control (SOC) 2 reports will be conducted in accordance with AT Section 101 and will utilize the AICPA audit guide (which was released in April of 2011, along with subsequent releases) titled "Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy". Thus, when reporting on controls other than those likely to be relevant to user entities’ internal control regarding financial reporting (i.e., controls outside that of financial reporting), SOC 2 reports should be utilized. And much like the SOC 1 | SSAE 18 Reports, SOC 2 reports can either be that of a Type 1 or a Type 2. And as noted earlier, when using the audit guide "Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy", the engagement for SOC 2 reports must be done so in accordance with AT Section 101.
AT Section 101 is a professional standard that all service organizations need to be keenly aware, due in large part to the creation of the AICPA SOC reporting framework, for which both AT Section 101 and SSAE 18 play critical roles in reporting on controls.
In issuing a SOC 1 (SSAE 16/SSAE 18) report, the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) has been very clear in stating that the intent of actual SSAE 16/SSAE 18 itself is for reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting.
Simply stated, if a service provider is performing a task or function or providing a service to another entity, for which it impacts the financial reporting of this entity in some way, then SOC 1 (SSAE 16/SSAE 18) is applicable. Thus, the scope of SSAE 18 is still consistent with that of SSAE 16, for which it was superseding.
AT Section 101 and SOC 2 Reporting - A Growing Trend
Thus, when reporting on controls other than those likely to be relevant to user entities’ internal control regarding financial reporting (i.e., controls outside that of financial reporting), practitioners should perform an Attest Engagement in accordance with AT Section 101. Therefore, SOC 2 audits are to be the chosen reporting platform for such user organizatoins. Keep in mind that the reasoning for the AICPA to make very clear of the use of AT Section 101 is because the original (and now thankfully defunct) SAS 70 auditing standard strayed heavily from its original use as an auditor-to-auditor standard, and more of that as an internal control audit conducted on almost any conceivable organization. Many service organizations quickly began to obtain SAS 70 Type I and Type II compliance for marketing and business development reasons, often largely ignoring the true technical merit and intent of the auditing standard itself. As such, the AICPA highly recommends that practitioners reporting on controls outside of that of financial reporting should conduct an Attest Engagement, in accordance with AT Section 101.
The AICPA is also very aware of the changes being brought about from technology and has published numerous guides, such as the following: Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
AT Section 101 and SOC 2 Audits - The Preferred Choice for Technology Companies
Expect this guide to be utilized when practitioners issue Attest Engagements under AT Section 101. This guide, along with the issuance of a Service Auditor’s Report under AT Section 101 could become a very-well known audit report in the marketplace as companies possibly move away from the SOC 1 (SSAE 16/SSAE 18) scope (which is limited to financial reporting) and embrace reporting on controls outside the scope of financial reporting. It’s simply too early to tell as to which of the service organization reporting options will take firm root, resulting in widespread acceptance. With that said, expect SOC 1 (SSAE 16/SSAE 18), Attest Engagements in accordance with AT Section 101, ISAE 3402 and other country | region specific standards to be the dominant players.
Simply stated, If you’re a technology company, such sa cloud computer vendor/provider, data center, managed services entity, software development shop, data analytics provider – any type of business in the technology space – then SOC 2 Type 1 and SOC 2 Type 2 audits are the preferred choice for compliance reporting. Want to receive a competitive, fixed-fee for SOC 1 (SSAE 16/SSAE 18) Type 1 and Type 2 compliance? Then contact us today or call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706.