Service Organization Control Reports Demystified

For years, provisions requiring “SAS 70” reports have frequently been included in technology and outsourcing contracts as a way to help assess risks associated with service providers’ internal controls. Such reports have been produced pursuant to the Statement on Auditing Standards (SAS) No. 70, issued in 1992 by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).

In fact, SAS 70 provisions and reports were commonly misused and stretched far beyond their originally intended focus on controls that affect financial reporting. They morphed into an attempt to obtain information and assurances on a service provider’s operations and compliance.

With the increasing popularity of cloud computing and the ongoing shift to a network-centric world, the need for enterprise customers to obtain reliable information and assurances about the operations of their service providers has become more intense than ever. To address these concerns, the AICPA recently established a structure of three different types of Service Organization Control (SOC) reports that may be issued by auditors: SOC 1, SOC 2 and SOC 3 reports.

Understanding and appropriately addressing the new SOC reports in your technology-related contracts could provide your organization with important knowledge and insight into your service providers’ operations and controls.

SOC 1 reports focus exclusively on a service provider’s controls that may be relevant to an audit of a customer’s financial statements. These reports are issued pursuant to the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. The AICPA issued SSAE 16 in April 2010 as a replacement for SAS 70.

SOC 1 reports, therefore, serve to replace SAS 70 reports, as originally intended, and should be required in technology or service contracts that relate to, or could affect, financial controls.

As with SAS 70 reports, SOC reports can be either:

1. Type 1 reports, which describe the
controls used by the applicable service
provider; or
2. Type 2 reports, which not only provide descriptions of the service provider’s controls, but also involve a test of the effectiveness of those controls and include the associated test results. Thus, Type 2 SOC reports provide a wide range of information and are generally the type of SOC reports that should be contractually required.

SOC 2 reports are intended to have a broader focus than SOC 1 reports. SOC 2 reports provide detailed information on a service provider’s controls that affect the security, availability or processing integrity of the service provider’s systems, or the confidentiality or privacy of the customer’s information that is processed by those systems. SOC 2 reports may be required to address any or all of the five attributes—security, availability, processing integrity, confidentiality and privacy—that AICPA defines as the “trust services principles.”

As with SOC 1, SOC 2 reports may be either Type 1 or Type 2, with Type 2 reports providing additional information and test results that will likely be useful to most customers. SOC 2 reports are produced and performed under the AICPA’s attestation standards, specifically, AT Section 101, Attest Engagements.

SOC 2 Type 2 reports will likely be very useful to customers in outsourcing and cloud computing relationships, where assurances regarding the service provider’s operations and compliance are needed. SOC 2 Type 2 reports will probably be especially important in heavily regulated industries such as health care and financial services, where information and assurances regarding the trust service principles are even more critical.

As both SOC 1 and SOC 2 reports are specific to a given customer, it will be interesting to observe how contractual trends emerge with respect to whether the service provider or the customer will bear the costs of audits to produce these reports.