Costs of SAS 70 audits were often borne by the service provider, except that the customer was sometimes responsible for the cost of any additional audit procedures required by, or specific to, the customer. Perhaps a similar cost-sharing methodology--in which the customer bears the cost of additional audit procedures specific to the customer, but the service provider bears the bulk of the cost--will develop as the norm for contractual provisions regarding SOC 1 and SOC 2 reports.
While SOC 1 and SOC 2 reports are generally specific to a given customer, SOC 3 reports are "general use" reports that do not focus on any particular customer. SOC 3 reports are similar to SOC 2 reports, however, in that they may address any combination of the trust services principles.
SOC 3 reports covering all trust services principles might be very useful to a customer in its procurement or vendor selection process, providing insights into risks associated with different service providers. Similarly, service providers might use SOC 3 reports (and the AICPA's associated SOC 3 seal) as marketing tools.
Requiring the new Service Organization Control reports--whether in your procurement process or in your technology-related contracts--could be very helpful in understanding the potential risks associated with technologies such as cloud computing.
SOC Framework: 10 Action Items
- Educate yourself on the new AICPA Service Organization Control (SOC) framework.
- Learn about the Trust Services Principles (TSP) framework.
- Consider purchasing a SOC 2 audit guide.
- Learn about AT Section 101.
- Understand the true technical differences between SOC 1 and SOC 2.
- Understand the requirements for a des-cription of the "System."
- Learn about the written statement of assertion.
- SOC 2 is criteria-based, not control-objective based.
- The adoption of SOC 2 is moving more slowly than expected.
- SOC 2 and SOC 3 are similar in a number of ways.
Source: NDP Accountants & Consultants, "SOC 2 Reporting Framework and the Top 10 Items You Need to Know About," September 2011
About the Author
Milton L. Petersen is an attorney whose practice focuses exclusively on information technology-related transactions and issues. He is a partner in the Information Technology Practice Group at the law firm of HunterMaclean in Savannah, Ga., and may be reached at 912-238-2629 or firstname.lastname@example.org.