Embed Size (px)
Citation preview
“The Cliff Notes Version”
To a Better Understanding of SSAE 16 (SOC 1), SOC 2 and SOC 3
In June of 2011, the American Institute of Certified Public Accountants (AICPA) released its
Service Organization Controls (SOC) reporting structure. SOC 1, also known as Statements on
Standards for Attestation Engagements No. 16 is better known throughout service
organizations as SSAE 16 and the successor to SAS 70. Like anything relatively new there are
plenty of questions and opportunity for clarifications from an experienced CPA firm such as
SSAE 16 Professionals, LLP.
The professionals at SSAE 16 Professionals, LLP are honored to share and be a resource for any
information regarding SSAE 16 as well as other value-added audit/compliance services. We are
one of the nation's leading PCAOB registered CPA firms performing SSAE 16 (SOC 1), SOC 2 and
SOC 3 audits. The following is very basic or the “Cliff Notes” version of information that we
hope you find helpful regardless of your SSAE 16 knowledge level. Also, we are available for
follow-up or to answer any further questions you may have.
Since mid 2011, SSAE 16 (SOC 1) replaced an aging SAS 70 and is here to stay. Rapid changes within service organizations facilitated the evolution to SSAE 16 where controls and related assertions need to be based on relevant internal control over financial reporting (ICFR). This has led service organizations to restructure their control objectives and acquire formal certification to satisfy and comply with the newly evolved standards. For service organizations today, SSAE 16 calls for a description of its “system”. This basically describes the policies and procedures in place, along with personnel and operational functions with consideration to services provided that are relevant to current and future user entities. This is far more detailed and comprehensive than SAS 70’s description of “controls”. Also, unlike SAS 70’s perceived “one size fits all” approach, the new AICPA SOC framework now provides for multiple SSAE 16 reporting options. Service organizations are now required to effectively choose between SSAE 16 (SOC 1), SOC 2 and SOC 3. Consultation with an experienced CPA firm such as SSAE 16 Professionals, LLP can assist in deciding which report or reports best supports the organizations objectives.
Understanding the Basics of SSAE 16 (SOC 1)
Let’s assume we are referring to an organization within any of the industries that fall under the
service organization umbrella whose services impact its clients’ ICFR. With a corporate
objective to best position their organization for continued growth, client confidence, and the
ability to serve a broader range of clients, SSAE 16 (SOC 1) audit fully supports this objective
with a proven and very strong return on investment (ROI). The first step towards an SSAE 16
(SOC 1) audit requires the organization to identify what services and controls are in place that
affects the ICFR for clients that utilize their services. This is a rigorous process that is dedicated
to the achievement and recognition that your services meet a minimum set of standards as
identified and evaluated in the service auditor’s report.
As with past SAS 70 reports, both SSAE 16 (SOC 1) Type I and SSAE 16 (SOC 1) Type II reports
can be issued depending on the specific requirements and objectives of the service
organization. Both report types add value and credibility to a service organization’s core
activities with the following differences:
Type I is a report on policies and procedures placed in operation as of a specified “point
in time”. SSAE 16 Type I reports evaluate the design effectiveness of a service provider’s
controls and then confirms that the controls have been placed in operation as of a
“specific date”.
Type II is a report on policies and procedures placed in operation and tests of operating
effectiveness for a “period of time”.
Type II reports include the examination and confirmation steps involved in a Type I
examination plus includes an evaluation of the operating effectiveness of the controls
for a period of at least six consecutive calendar months. Most user organizations require
their service provider to undergo the Type II level examination for the greater level of
assurance and reporting detail it provides.
Understanding the Basics of SOC 2
For companies providing services that do not impact their clients’ ICFR, the AICPA has issued an
Interpretation under AT Section 101 permitting service auditors to issue reports. These reports
will now be considered SOC 2 or SOC 3 reports and focus on controls at a service organization
relevant to the following principles:
Security: The system is protected against unauthorized access (both physical and logical)
Availability: The system is available for operation and use as committed or agreed
Processing Integrity: System processing is complete, accurate, timely, and authorized
Confidentiality: Information designated as confidential is protected as committed or
agreed
Privacy: Personal information is collected, used, retained, disclosed, and destroyed in
conformity with the commitments in the entity’s privacy notice and with criteria set
forth in generally accepted privacy principles issued by the AICPA and CICA
This means many companies which have used SAS 70’s in the past, will now need a SOC 2
report (e.g. managed service providers, Software as a Service (SaaS), cloud computing, etc.).
SOC 2 reports are restricted use reports, which mean use of the reports is restricted to:
Management of the service organization (the company who has the SOC 2 performed)
User entities of the service organization (customers, regulators, business partners,
suppliers, etc.)
As with SSAE 16 (SOC 1) reports, SOC 2 Type I and SOC 2 Type II reports can be issued:
Type I – a Type I is a report on policies and procedures placed in operation as of a
specified “point in time”. SOC 2 Type I reports evaluate the design effectiveness of a
service provider’s controls and then confirms that the controls have been placed in
operation as of a “specific date”.
Type II – a Type II is a report on policies and procedures placed in operation and tests of
operating effectiveness for a “period of time”. SOC 2 Type II reports include the
examination and confirmation steps involved in a Type I examination plus include an
evaluation of the operating effectiveness of the controls for a period of at least six
consecutive calendar months. Most user organizations require their service provider to
undergo the Type II level examination for the greater level of assurance it provides.
SOC 3 WebTrust and SysTrust for Service Organizations
The Trust Services Principles and Criteria are a set of professional attestation and advisory
services that form the basis for both the WebTrustTM and SysTrustSM Services. The Trust
Services are a broad-based set of principles and criteria put forth jointly by the American
Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered
Accountants (CICA) to maintain the privacy and confidentiality of information. In today’s global
economy, companies are relying more and more on complex and powerful information
technology systems. In order to gain the trust of key stakeholders, many companies choose to
undergo a WebTrustTM or SysTrustSM audit which is performed by a licensed CPA when a SOC
1 SSAE 16 or SOC 2 AT 101 audit is not appropriate.
WebTrust Reports
The WebTrust service and report is primarily designed for e-commerce systems and is
comprised of a family of assurance services including:
WebTrust Online Privacy. The scope of the assurance engagement includes the relevant
online Privacy principle and criteria
WebTrust Consumer Protection. The scope of the assurance engagement includes both
the Processing Integrity and relevant online Privacy Principles and Criteria
WebTrust. The scope of the assurance engagement includes one or more combinations
of the Principles and Criteria not anticipated above
WebTrust for Certification Authorities. The scope of the assurance engagement includes
the Principles and related Criteria unique to certification authorities
SysTrust Reports
As with the WebTrust service and its respective report, the SOC 3 SysTrust for Service
Organizations is comprised of a family of assurance services designed for a wide variety of
information technology based systems that are defined by the entity. The scope of these
reports can include one or more of the following Principles and Criteria:
Security: The system is protected against unauthorized access (both physical and logical)
Availability: The system is available for operation and use as committed or agreed
Processing Integrity: System processing is complete, accurate, timely, and authorized
Confidentiality: Information designated as confidential is protected as committed or
agreed
Privacy: Personal information is collected, used, retained, disclosed, and destroyed in
conformity with the commitments in the entity’s privacy notice and with criteria set
forth in generally accepted privacy principles issued by the AICPA and CICA
Unlike a SOC 2 report (which is a restricted use report), WebTrustTM and SysTrustSM reports
are general use reports, which means upon attainment of an unqualified report, they can be
freely distributed or posted on a website as a seal for one full-calendar year from the date of
issue.
It is important to note that many companies undergoing a SOC 1, SOC 2 or SOC 3 audit for the
first time choose to perform a Readiness Assessment prior to undergoing the Type I or Type II
audit. Also, even though SOC 1 is the clear favorite among most Service Organizations, SOC 2
and SOC 3 are very valuable reporting options if needed.
Benefits of successfully completing any SSAE 16 engagement Include:
Marketing and competitive advantage
One-time annual audit
Improving organizational performance and productivity
Ability to perform outsourced services for public and private companies
Potential clients are more likely to trust your company over your competitors who do
not have an SSAE 16
SSAE 16 (SOC 1), SOC 2, and SOC 3 reports should be viewed as an annual investment into your
company with a proven ROI, helping generate new clients while increasing operational
efficiencies through streamlined processes. For more information or answers to any questions
please feel free to contact a proven and experienced CPA firm such as SSAE 16 Professionals,
LLP.
About SSAE 16 Professionals, LLP
SSAE 16 Professionals, LLP is a leading provider that specializes solely in SSAE 16 (SOC 1) and
SOC 2 readiness assessments, SSAE 16 (SOC 1) and SOC 2 Reports, and other IT audit and
compliance reports. Each of our professionals has over 10 years of relevant experience at “Big
4” and other large international or regional accounting firms. Each professional is certified as a
CPA (Certified Public Accountant), CISA (Certified Information Systems Auditor), CIA (Certified
Internal Auditor), CISSP (Certified Information Systems Security Professional), CRISC (Certified in
Risk and Information Systems Control) and/or MBA (Master of Business Administration). For
more personalized and specific information regarding your business objectives, please feel free
to contact us any time or call (866) 480-9485. We look forward to hearing from you.
