Explaining SOC: Easy as 1-2-3
What CPAs need to know about Service Organization Controls reports.
June 11, 2012
A year after the AICPA introduced the Service Organization Controls reports, I continue to field lots of questions about SOC and its different “flavors.”
Accountants also are still asking me about the migration to SOC from the old Statement on Auditing Standards No. 70 (SAS 70).
This article provides an overview of the SOC 1, SOC 2, and SOC 3 reports, explaining when and why to use each one.
From SAS to SOC
To best understand SOC reports, it’s helpful to know why the AICPA created them. The past several years have seen rapid growth in the number of businesses outsourcing various functions to service organizations such as cloud computing providers. Examples of traditional services provided by service organizations include payroll processing and medical claims processing; relatively newer services include human resources, document management, workflow, and tax processing. The growth in outsourcing has been fueled by a number of factors, including the recent economic recession, pressure to improve operational costs, an increasingly virtual workforce, and a lack of internal resources to support a process or function.
The rise of cloud computing has played a key role in the number of businesses that outsource functions to service organizations. Entities that use service organizations are referred to as “user entities” in SOC terminology. Because the cloud consists of servers accessible through the internet, cloud computing providers can offer user entities access to applications, data storage, and numerous other computing functions on a pay-as-you-go basis. This model often proves more convenient and cost effective for user entities, which are happy to shed the cost, time, and risk associated with having to buy software licenses and pay for the purchase and maintenance of servers.
In many of these outsourcing situations, user entities submit personal or confidential customer information to service organizations for processing or storage. A breach in privacy practices may occur while such information is at a service organization. Even though the breach may occur while the information is at the service organization, the user entity continues to retain responsibility for protecting such information. Such liability concerns and the growth in cloud computing have elevated the marketplace demand for assurance regarding the confidentiality and privacy of information processed by a service organization’s system.
The old SAS 70 standard was designed to assist CPAs reporting on controls at a service organization that affect user entities’ financial statements, not for reporting on controls at a cloud computing provider that affect the privacy of customer data. However, in the absence of a better option, SAS 70 was improperly used as the framework for such assessments, and terms such as “SAS 70 certified” were inappropriately used by many service organizations to indicate that their system controls had been found to be reliable and trustworthy.
Because of the confusion and misuse of SAS 70, the AICPA replaced it with the SOC framework.
The ‘flavors’ of SOC
As part of the Auditing Standards Board’s clarity project, the AICPA split SAS 70 into two new standards: the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) for service auditors (effective for SSAE 16 reports for periods ending on or after June 15, 2011) and a new SAS for user auditors (effective for 2012 year-end audits).
Like SAS 70, the SSAE 16 standard focuses on guidance for auditors assessing financial statement controls at service organizations. This is the basis of the SOC 1 report.
The SOC 2 and SOC 3 reports both look at a service organization’s controls relevant to the security, availability, or processing integrity of a service organization’s system or the privacy or confidentiality of the information the system processes. These reports are based on AT Section 101, Attest Engagements, and the controls are evaluated using the trust services principles and criteria.
SOC 1 and SOC 2 are similar to SAS 70 in that both have type 1 and type 2 report options, as explained in more detail below.
Here’s a quick look at the users, content, and purpose of SOC reports.
The AICPA has approved two logos that service organizations and CPAs may use in marketing their services related to SOC engagements. These logos may be used in promotional material or displayed on a website. Note that these are not seals to be displayed on the website of a service organization that has received a SOC 3 report within the past year from a CPA licensed for the seal by the CICA.
For CPAs who provide SOC 1, SOC 2, or SOC 3 engagements, the only logo approved for use is:
For service organizations that have received a SOC 1, SOC 2, or SOC 3 report issued within the past year, there is also only one logo that may be used. The logo approved for use is:
For more information, the AICPA has resources available at AICPA.org/SOC.
Demand for SOC reports should increase in the coming years because of continued growth in cloud computing.
Technology research firm Gartner expects the cloud-based, software-as-a-service market to grow at more than twice the rate of the overall software market. Gartner forecasts a compound annual growth rate of almost 16% for the SaaS market, as show in the graphic below. That compares with a projected compound annual growth rate of 6.3% for the software market as a whole.
As the cloud market grows, so do opportunities for CPAs to conduct SOC assessments of service providers. This line of work can provide a fresh flow of revenue for accounting firms.
James C. Bourke, CPA/CITP/CFF, CGMA, is a partner at New Jersey-based accounting firm WithumSmith+Brown, where he is director of firm technology. He is co-chair of the Practitioners Symposium and TECH+ Conference in partnership with the Association for Accounting Marketing Summit. He also serves on the AICPA Board of Directors and is a past president of the New Jersey Society of CPAs and a past chair of the AICPA CITP Credential Committee.