Overview of SSAE No. 18 and Service Organization Controls:
Statement on Standards for Attestation Engagements (SSAE) No. 18 supersedes SSAE 16, which was the previous professional standard for SOC-1 examinations. SSAE-18 is the current professional standard for all SOC reports (SOC-1, SOC-2, and SOC-3). With the release of SSAE-18, came a new brand for SOC. SOC now stands for “System and Organization Controls”, whereas previously it stood for Service Organization Controls. By doing this, SOC examinations can be applicable to non-service organizations as well as service organizations.
With the new branding comes the following types of SOC examinations:
- SOC for Service Organizations
- SOC for Cyber Security
- SOC for Vendor Supply Chains
SOC reports for Service Organizations:
SSAE No. 18, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT-C sec 320), establishes the requirements and guidance for a CPA examining and reporting on a service organization’s description of its system and its controls that are likely to be relevant to user entities’ internal control over financial reporting. Service organizations frequently receive requests from user entities for these reports because they are needed by the auditors of the user entities’ financial statements (user auditors) to obtain information about controls at the service organization that may affect assertions in the user entities’ financial statements. An engagement performed under SSAE No. 18, ATC-320 (Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting) is known as a SOC 1 engagement, and a report on that engagement is known as a SOC 1 report. SOC 1 reports are intended solely for the information and use of existing user entities (for example, existing customers of the service organization); their financial statement auditors; and management of the service organization.
SSAE-18, AT-C Section 205 (Examination Engagements) along with the AICPA SOC 2 publications and the Trust Service Criteria provides guidance on the examination of a service organization’s description of its system and controls that are likely to be relevant to the security, availability, or processing integrity of a service organization’s system or the confidentiality or privacy of the information processed by the system. Such an engagement is known as a SOC 2 engagement, and a report on such an engagement is known as a SOC 2 report. Trust Service Criteria (TSC) utilized in SOC-2 engagements supersedes the Trust Service Principles (TSP) previously utilized. A significant change to the TSC is the incorporation of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 Internal Control—Integrated Framework. The Trust Service Criteria adds “points of focus” to align the Trust Service Principles with the 17 principles within COSO’s Integrated Framework on Internal Control.
The inclusion of COSO Principles within a SOC-2 engagement helps by better addressing cybersecurity risks and increases the flexibility in application of the SOC -2 review to an entire entity.
Just like SOC 2, SOC 3 utilizes guidance from SSAE-18 Section 320 along with the SOC-2 Guide and Trust Service Criteria. The difference being that a SOC 3 Report can be freely distributed for general use and only reports on if the entity has achieved compliance or not. The report contains no details or descriptions of tests and results or opinions. This lack of a detailed report mandates that a SOC 3 engagement be performed as a Type II and there is no Type I option. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy) and allow the organization to place a seal on their website upon successful completion.
Types of SOC Reports:
A type 1 report includes a section from the CPA expressing an opinion on the management’s description of the service organization’s system and the controls stated in the description are suitable to meet trust services criteria. No testing of operating effectiveness of controls are performed by the Service Auditor.
A type 2 report has the same information as in a type 1, but also includes a description of the service auditor’s tests of controls and the results of the tests. A type 2 report requires testing the operating effectiveness of controls, whereas a Type 1 does not. SOC 3 reports are only have a type 2 option.
Purpose/Use of Report:
SOC 1: To provide the auditor of a user entity’s financial statements with the information and a CPA’s opinion about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. A user auditor will utilize the SOC 1 report during the audit of the Financial Statements.
SOC 2: To provide management of a service organization, user entities, and other specified parties with information and a CPA’s opinion about controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
SOC 3: To provide any user with a need for confidence in the security, availability, processing, integrity, confidentiality, or privacy of a service organizations systems. (Marketing)