LBMC Security Services LLC

AICPA Service Organization Control Reports (SOC 2 and SOC 3 Reports)

AICPA SOCService organizations such as claims processors, application service providers, benefits administrators, payroll companies, data centers, etc. that provide key third-party outsourcing services often need to be accountable to the clients that they serve. With the advent of the Sarbanes-Oxley Act (SOX), other demands for transparency, increasing globalization and outsourcing, the use of SSAE 16s (formerly SAS 70s) has grown exponentially. Furthermore, the creation of Service Organization Control (SOC 2 and SOC 3 reports) provides two new reporting vehicles developed for service organizations to respond to demands for uniform reporting and review—expanding service organizations’ ability to report on non-financial controls and, with SOC 3, become certified trusted system service organizations.

CPAs perform SSAE 16 attestments to provide assurance to the service organization’s customers and their auditors that the organization has certain, adequate and effective controls in place. Type I audits consider the controls’ effectiveness at a certain point in time, while Type II audits examine the controls’ effectiveness over a specific period, typically six to 12 months.

Unlike previous SAS 70 audits, SSAE 16s and SOC 2 and SOC 3 engagements address today’s environment that:

  • Requires greater international consistency,
  • Addresses newer technologies such as cloud computing, mobile and virtualization,
  • Demands more widely recognized and understood reporting options.

SSAE 16 (SOC 1) presents several changes from an SAS 70, including requiring management to provide written descriptions of its systems and assert that the system descriptions are fairly presented, control objectives suitably designed and operate effectively, and identify the criteria they used to make those assertions.

While SSAE 16 (SOC 1) examines service organizations’ controls related to financial reporting, SOC 2 and SOC 3 reviews non-financial reporting controls. SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards, vol. 1). An SOC 2 report is similar to an SOC 1 report. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization's system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests.

Trust Services Report for Service Organization: SOC 3 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations that also are used in SOC 2 engagements. The key difference between an SOC 2 report and an SOC 3 report is that an SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system. An SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy).

Clients should know coverage and quality of SSAE 16 (SOC 1), SOC 2 and SOC 3 reports can vary significantly. The most successful ones require an experienced auditor knowledgeable in identifying, testing and reporting on the types of controls important to that particular service organization’s customers. LBMC’s multi-disciplined teams have the financial and information systems auditing experience to ensure service organizations undertaking an SSAE 16 or SAS 70 have the best information for their organization, industry and clients.