Data centers, software providers and information technology firms can expect that clients will be asking to see their service organization control (SOC) reports.
SOC reports have replaced the Statement on Auditing Standards 70 (SAS 70) as a means of assuring companies they do business with that proper controls are in place.
“Years ago, it was mostly payroll companies having SAS 70 audits done because they were affected more than everybody else. They managed their clients’ money, and their clients needed to make sure that they had controls in place,” says Robert B. Brenis, CGEIT, CISA, CRISC, PMP, a principal with Skoda Minotti Technology Partners. “A lot of companies are now seeing the need for these because, with the advent of technology, many have access to their clients’ information.”
Smart Business spoke with Brenis about the differences between SOC reports and SAS 70 audits and the types of companies that should have them prepared.
What is a SOC report and how does it differ from the SAS 70?
SAS 70 was one report, now the SOC 1, and it covered service organization controls related to financial statement assertions. SOC reports break SAS 70 reports into three different reports: SOC 1, SOC 2 and SOC 3. SOC 2, also known as AT 101, audits any or all of five trust service principles: security, availability, processing integrity, confidentiality and privacy. It also contains descriptions of tests performed and the results. The intended audience for a SOC 2 report is management of the user entities. While SOC 3 reports look at the same data as a SOC 2, it is more of a general use report, providing only the auditor’s report on whether the system achieved the test criteria. A SOC 3 report is intended for any user who wants assurance on the five trust service principles and wants this report freely distributed.
Why was a switch made from SAS 70 to SOC reports?
The biggest reason is that the SAS 70 was not being used the way the American Institute of Certified Public Accountants intended it to be used. Accountants were opining on more technical things like firewalls they have in place and secured socket layer encryption. Accountants, however, weren’t entirely sure what any of that meant.
There were way too many IT things creeping their way into the SAS 70 report, so they broke them into two different standards — the financial assertion standard, which is now the SOC 1, and the SOC 2/SOC 3 which focus on the five trust principles.
How do you know if you need a SOC 1 or SOC 2 report?
It gets back to the type of business that’s being provided. If a service is being provided that can affect a client’s financial statements, a SOC 1 is absolutely needed. Say you’re housing servers. That’s more in the realm of security and availability, which talks to the trust services principles found in SOC 2. You should talk to the client to understand the service they’re providing and make sure they get the right one done.
What is meant by Type 1 and Type 2 reports?
As was the case with the SAS 70 audit, there are also two types of SOC reports. With a Type 1, the policies you have are reviewed to determine if they cover the controls you have described in the ‘Management’s Description’ section of the report. In a Type 2 report though, it’s not just the policies that are audited but also the procedures. If you have a policy that says you are reviewing employee network access monthly, for a Type 1 this policy is enough. For a Type 2, you need to show proof that these reviews are happening on a monthly basis.
What value does a company get from a SOC report?
- You will have a description of your business in your words.
- Your clients’ concerns about certain controls are addressed before these concerns become issues.
- You will have an SOC report completed before you are required to have one for an RFP.
- You will demonstrate to your clients that your business uses due care in managing information.
- You can use this process to review and improve internal controls, eliminating unnecessary risk from your business.
One example is a medical billing company that thought it had all the policies and procedures in place to ensure it was tracking receivables on a consistent basis. When we went through the process of the controls that were in place, it was discovered that any receivable that got beyond 180 days dropped off their radar. So they weren’t chasing after money when they should have been. It helped them realize where they had holes and led to a change in their processes. The next year they didn’t have anything in their receivables that came up to 180 days. So the receivables were watched on a much tighter basis.
Other examples would be if your SOC 1 business description says that you have service level agreements with your clients. An audit can be performed against those service level agreements to determine if they’re being met. If not, it could mean that you’re going to owe some clients money, so you need to maintain your service levels that have been agreed upon by your clients. You are liable because you’re supposed to be
following up.
ROBERT B. BRENIS, CGEIT, CISA, CRISC, PMP, is principal with Skoda Minotti Technology Partners. Reach him at (440) 449-6800 or [email protected].
