AICPA SOC reports are everywhere these days - SOC 1, SOC 2, and SOC 3 - and this is due in large part to the retirement of the longstanding SAS 70 auditing standard, which was in place for approximately two decades (April, 1992 to June 15, 2011). So out with the old and in with the new - and very new the AICPA SOC reports are - as witnessed by the three distinct reporting options that service organizations now have. With such monumental changes in reporting on controls at these very service organizations, it's important to take note of the following five items regarding AICPA SOC reports.
1. It’s a SOC world out there. SOC stands for "Service Organization Control" reports, which is a completely new reporting platform for reporting on controls at service organizations - one that effectively replaced the aging SAS 70 auditing standard. There are three (3) SOC reporting options to choose from, such as SOC 1, SOC 2, and SOC 3. Look upon the SOC platform as a true shift and monumental change by the American Institute of Certified Public Accountants (AICPA) and their attempt to modernize and become more global with respect to service organization reporting. Interestingly, there is an international equivalent to the SOC 1 reporting option - ISAE 3402 - but much like SAS 70, SOC 1 SSAE 16 reports are slowly, but surely, becoming the de facto standard, once again.
2. SOC 1 is here. That's right, the heavyweight reporting option from the SOC platform is that of SOC 1. With the retirement of the SAS 70 auditing standard, SOC 1 is the new champion. Please keep in mind that SOC 1 reports actually utilize the SSAE 16 professional standard for their issuance - thus - two types of SOC 1 reports can be issued - SOC 1 SSAE 16 Type 1 and SOC 1 SSAE 16 Type 2 reports. And though SOC 1 SSAE 16 reports are technically designed for reporting on controls at service organizations who have a true and credible nexus with a concept known as “ICFR” - "Internal Control over Financial Reporting” – the standard itself has taken root much like SAS 70, resulting in a wide range of third-party entities undertaking SSAE 16 compliance.
3. SOC 2 is slowly emerging. When the AICPA dismissed the longstanding SAS 70 auditing standard, effectively replacing it with the SOC framework, they’re intent was to provide meaningful and flexible reporting options for service organizations, such as SOC 2 reporting. And though SOC 2 is an excellent option for reporting on many of today's technology based service organizations - such as cloud computing entities, data centers, managed services providers, and others - it is not used in a widespread fashion when compared to SOC 1 SSAE 16 reporting. This will more than likely change, however, as interested parties become more aware of the true value of SOC 2 reporting. As for the professional standard used for issuing SOC 2 reports, it is AT Section 101, as published by the AICPA. Additionally, SOC 2 reporting incorporates the Trust Service Principles (TSP), which are: (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality. (5). Privacy.
4. SOC 3 is an option also. SOC 3 reporting also uses AT Section 101 at its professional standard, along with the Trust Services Principles (TSP) for reporting. SOC 3 reports differ from SOC 2 reports in a few technical aspects, mainly in that SOC 2 reporting actually provides detailed evidence of auditor findings and other relevant information, while SOC 3 does not. SOC 3 also brings to surface the SysTrust and WebTrust seals that can be issued and showcased as validation of compliance. SOC 3, much like SOC 2, is a very viable reporting option, and one that’s gaining acceptance in many industries for reporting on controls at service organizations.
5. Policies and procedures are necessary for SOC compliance. Welcome to the world of regulatory compliance where policies and procedures need to be developed, especially information security policy and procedural documentation. Keep that in mind when it comes to SOC compliance. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
Speak with Christopher G. Nickell, CPA, to learn more about NDB's AICPA SOC reporting services and our competitive, fixed-fee pricing. He can be contacted at 1-800-277-5415, ext. 706 or via email at email@example.com.