The increase in outsourcing directly increases the risk carried by the user entities, creating a need to demonstrate control is maintained at all times. One of the most common mechanisms to do this is through the request of the third party or “service organization” for independent reporting on the effectiveness of the internal controls operating at the service organization. The well-known SSAE16 reports (or SOC 1, akin to ISAE 3402/HKSAE 3402 reports) are designed to provide reasonable or limited assurance relating to internal controls over financial reporting (ICFR), only and are aimed to cater for user entities’ auditors needs primarily. However, they do not cover broader operational and compliance control needs for user entities. To answer this limitation, the American Institute of CPAs(AICPA) and the Canadian Institute of Chartered Accountants (CICA) have created two reporting vehicles to meet this need: SOC 2 and SOC 3.
The SOC 2 and SOC 3reports use the Trust Services Principles and Criteria as a framework for reporting on a service organization’s operational and compliance controls relevant to user organizations.SOC 2 and SOC 3 reports provide companies with an option to obtain the assurance they need over compliance and operational controls for functions they outsource to third parties. Reporting on internal controls over financial reporting:
SOC 1: A direct replacement for the statement on Auditing Standards No. 70, Service Organisations, report, a SOC 1report opines on controls operating at a service organization that has a direct impact on user entities’ ICFR. SOC 1 reports are not permitted to report on controls beyond ICFR. Because SOC 1 reports are more common in the marketplace, the focus of this paper is on SOC 2 and SOC 3 reports. Reporting on internal controls beyond financial reporting:
SOC 2: A SOC 2 report provides reporting options beyond ICFR. A SOC 2 opines control relevant to security, availability, processing integrity, confidentiality, and/or privacy (referred to in total as the TrustServices Principles) at a service organization and does so in a format similar detail to a SOC 1 report.
SOC 3: A SOC 3 report is very similar to aSOC 2 but with a few main differences, such as (1) the information presented in a SOC 3report is truncated (no controls, test procedures, or results) and (2) distribution of the SOC 3 report is unrestricted meaning, it can be shared with anyone. This paper explores the appropriate application and content of SOC 2 and soc 3 reports.
The following table compares the purpose and benefits of the different SOC reports:
A SOC report can be issued as a Type 1 (point in time opinion addressing mainly the design of the controls) or a Type 2 (opinion spanning a defined period of time to address operating effectiveness).
When an organization plans to issue a SOC 2 or a SOC 3 report, we typically recommend a phased approach from readiness through to the ultimate execution of a type 2 engagement. The phased approach to obtain a SOC 2 or SOC 3 report help:
- Properly define customers’ reporting needs and expectations;
- Identify and assess appropriate controls;
- Pave the way for an efficient SOC engagement; and
- Minimize the potential risk of exceptions being reported.