If your service organization processes customer transactions that impact financial reporting, such as payroll or other financial reporting functions, you are more than likely familiar with the SSAE 16 SOC 1 report and its predecessor the SAS 70. Your customer’s auditors request the SAS 70, now the SSAE 16, every year to fulfill your customer’s year-end financial statement audit requirements. You gladly undergo the annual SSAE 16 audit so you have the report ready for your customers each year. One SSAE16 audit is worth keeping an army of customer auditors from knocking on your door asking for the same evidence of internal controls. More than likely the SSAE 16 is also required to meet contractual obligations to your customers. So to reduce the number of audits you have to endure each year, to meeting contractual obligations and also to get an independent evaluation of your internal controls, you engaged a CPA firm to perform the SSAE 16 audit.
However, for those service organizations whose service does not impact the internal controls over financial reporting, what does the new AICPA requirements mean for you? Can your organization benefit from engaging an independent CPA firm to perform a SOC 2 audit? I would like to walk through the requirements of the SOC 2 audit, how the audit engagement is performed and answer the question regarding its value to an organization that is not “required” to undergo this rigorous information technology audit.
For the past 20 years the SAS 70 has been the standard audit report for service organizations, no matter what services were provided. Although the audit standard was initially intended for service organizations that impacted their customer’s internal controls over financial reporting, it morphed into a standard that was used to assess any type of controls at a service organization. The AICPA has recently published auditing standards that provide guidance for audit reports where the services provided impact the internal controls over financial reporting (SSAE16/SOC 1) and those where the service provided does not impact the internal controls over financial reporting (AT 101/SOC2). There have been megabytes written this year on the SSAE 16 SOC 1 report, so I will leave that to other authors. What I want to focus on is the SOC 2 report and what it means for the other service organizations.
The AT 101 SOC 2 auditing standard is built on the trust principles of security, confidentiality, availability, privacy and processing integrity. The AICPA has published criteria (control activities) that should be in place at an organization for each of the trust principles. The service auditor now has a standard to use for service organization when the services provided do not impact internal controls over financial reporting.
Based on the type of service provided and the principles that are relevant to the service organization, an independent CPA firm is engaged to evaluate the service organization’s internal controls. The CPA firm is required to audit the service organization against predefined criteria for the selected principles. By reviewing policies, evaluating procedures and inspecting evidence to support the published criteria, the auditor issues a report on the design, implementation and operating effectiveness of the internal controls at the service organization (Type 1 report would not address operating effectiveness) over a period of time, typically between 6 and 12 months.
SOC 2 is a rigorous audit that is challenging for services organizations. The audit criteria have been developed over time and include a comprehensive list of control activities to meet the principles of security, availability, confidentiality, privacy and processing integrity. If prospective or current customers are not asking for the audit, why incur the financial and operational costs to complete it? I will outline what I think are the biggest benefits for service organizations that choose to undergo a SOC 2 audit.
One of the most compelling reasons for a service organization to undergo a SOC 2 audit is to communicate the control environment to a broader group of stakeholders than is allowed in a SOC 1 review. Threats and attacks against computer resources continue to evolve. Senior level management are interested in understanding how their data is protected, whether the data is in house or outsourced. Transparency between the service organization and their customers is important when dealing with internal controls. As a company outsources aspects of its business to a service organization it is outsourcing the function, not the responsibility for the function. If a company chooses to move to a fully hosted IT environment managed by the hosting provider, responsibility for the financial, operational and confidential information on those servers still lies with the company who owns the data. Through the use of a SOC 2 audit, the service organization can clearly communicate the internal controls in the environment to their customers. Their customer’s management can review the SOC 2 report and gain an understanding of the controls in place at the service organization to protect their data. A logo from the AICPA can be added to the service organization’s website to communicate to the website visitor that the service organization feels strongly about internal controls and has undergone a SOC 2 audit to ensure those controls are properly designed, implemented and operating effectively.
Also, by engaging an independent CPA firm to perform a SOC 2 audit, the service organization’s management obtains comfort that the design, implementation and operating effectiveness of controls meets the AICPA published criteria related to the principles of security, confidentiality, privacy, availability or processing integrity. Like most companies, the focus of the service organization is on providing the service including on boarding new customers, building capacity and exploring ways to provide the service more efficiently. However, the service organization has a responsibility to meet customer’s SLAs, protect customer’s data and ensure availability of the service provided. Most service contracts have service level agreements that may also include financial penalties if not met. The SOC 2 audit could be used as part of the service organization’s management’s due diligence process to ensure internal controls meet published best practices.
The SOC2 audit is a useful tool for service organizations focused on the security, privacy and confidentiality of their customer’s data and the availability and processing integrity of the services offered. By benchmarking the service organization against published principles from a recognized standards organization, both the service organization’s management and their customers have visibility in to the control environment as well as comfort that the controls were evaluated by an independent third party. The results of the audit clearly communicate, through the SOC 2 report and website seal, that the service organization has a strong system of internal controls in their environment.
By Gene Geiger, Director, A-LIGN Security and Compliance Services