Reporting on Controls at a Service Organization
1st Secure IT, LLC partners with 1st Secure Compliance, LLC to perform SOC 1, SOC 2 adn SOC 3 engagements that result in a SOC report issued by a CPA. The following descriptions of a SOC 1, SOC 2 and SOC 3 are provided by the “AICPA Guide – Reporting on Controls at a Service Organization, Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2SM) March 1, 2012”:
SSAE No. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec.
801), establishes the requirements and guidance for a CPA examining and reporting on a service organization’s description of its system and its controls that are likely to be relevant to user entities’ internal control over financial reporting. Service organizations frequently receive requests from user entities for these reports because they are needed by the auditors of the user entities’ financial statements (user auditors) to obtain information about controls at the service organization that may affect assertions in the user entities’ financial statements. An engagement performed under SSAE No. 16 is known as a SOC 1 engagement, and a report on that engagement is known as a SOC 1 report. SOC 1 reports are intended solely for the information and use of existing user entities (for example, existing customers of the service organization); their financial statement auditors; and management of the service organization.
AT section 101 (Attest Engagements) along with the AICPA SOC 2 publications provides guidance on the examination of a service organization’s description of its system and controls that are likely to be relevant to the security, availability, or processing integrity of a service organization’s system or the confidentiality or privacy of the information processed by the system. Such an engagement is known as a SOC 2 engagement, and a report on such an engagement is known as a SOC 2 report. A SOC 2 engagement uses the criteria in TSP (Trust Services Principles) section 100 to evaluate the design and operating effectiveness of the service organization’s controls. In addition to AT section 101, SSAE-16 is also helpful to service auditors performing a SOC 2 report.
Just like SOC 2, SOC 3 is based on AT section 101. The difference being that a SOC 3 Report can be freely distributed for general use and only reports on if the entity has achieved compliance or not. The report contains no details or descriptions of tests and results or opinions. This lack of a detailed report mandates that a SOC 3 engagement be performed as a Type II and there is no Type I option. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy) and allow the organization to place a seal on their website upon successful completion.
Types of SOC Reports:
A type 1 report includes a section from the CPA expressing an opinion on the management’s description of the service organization’s system and the controls stated in the description are suitable to meet trust services criteria. No testing of operating effectiveness of controls are performed by the Service Auditor.
A type 2 report has the same information as in a type 1, but also includes a description of the service auditor’s tests of controls and the results of the tests. A type 2 report requires testing the operating effectiveness of controls, whereas a Type 1 does not. SOC 3 reports are only have a type 2 option.
Purpose/Use of Report:
SOC 1: To provide the auditor of a user entity’s financial statements with the information and a CPA’s opinion about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. A user auditor will utilize the SOC 1 report during the audit of the Financial Statements.
SOC 2: To provide management of a service organization, user entities, and other specified parties with information and a CPA’s opinion about controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
SOC 3: To provide any user with a need for confidence in the security, availability, processing, integrity, confidentiality, or privacy of a service organizations systems. (Marketing)