SOC Reporting

SAS 70, or Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) in the early 90s (see Section AU 324 for the thrilling details). Its purpose was for the measuring of controls of service organizations (SO)  in the delivery of services that impacted the financial reporting to a material degree. As it was not practical to require consuming organizations to send auditors onsite to audit that service vendor, a SAS 70 report – commissioned by that service organization after a SAS 70 audit – would suffice.

Obviously IT provided a role in financial reporting and IT personnel increasingly got pulled into SAS 70 audit activities.

Over time, the businesses and investors found a use for SAS 70 beyond individual audits. SAS 70 documentation provided a measure and rating system for service providers like processors of financial transactions, banks, data centers, and managed IT service providers. SAS 70 became a de facto marketing tool and organizations began to be use it for assurance for controls well beyond the scope of financial reporting. Unfortunately, SAS 70 was created strictly for financial reporting controls and did not adequately address other areas.SOC Reporting

Also, SAS 70 could only be signed by firms registered in the US, and the need was international.  In 2009, the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants created International Standards on Assurance Engagements (ISAE) 3402, “Assurance Reports on Controls at a Service Organization” to address that need.

The AICPA remedied all of this in 2011, when it replaced SAS 70 with the Statement on Standards for Attestation Engagements (SSAE) No. 16 which established the  Service Organization Control (SOC) reporting framework (the gory details are at AT Section 801). SSAE 16 converged AICPA standards with the IAASB standards. The framework retains the pure financial reporting function of SAS 70 with the SOC 1 subdivision, while SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (these five items are referred to as “Trust Service Principles”) will address other control areas of interest to the majority of IT managers. SOC 2 reports come in a Type I and Type II variety, with the more-valued latter commenting on effectiveness. SOC 3 is essentially a summary of a SOC 2 that is literally used for marketing purposes.

The SOC 2 audit and report will be embraced by service organizations that need to demonstrate:

  • how they process transactions on behalf of their customers
  • how their controls related to system availability operate
  • how their security controls fuction
  • how their controls related to data privacy and confidentiality operate

The growing emphasis on IT governance, risk management and compliance (GRC) and the huge spike in adoption of the cloud computing model make the SOC 2 report a critical factor. In practice, the report is verbose, repetitious, and expensive to produce; however, it is the best the consumer can get at this time.