It’s no wonder executives seemed less than enthusiastic about the new auditing standards and controls for service organizations instituted by the American Institute of CPAs (AICPA). After all, most companies had already suffered through a decade of new internal controls and financial reporting requirements that managed to increase costs while offering nominal benefits.
But, this time, the reports that are part of the AICPA’s new Service Organization Controls (SOC) reporting suite actually benefit outsourced service providers and their customers by providing additional transparency at a time when companies are looking to outsource rudimentary tasks or move data and applications to the cloud.
“Companies previously felt like they had no option but to report under Statement on Auditing Standards 70 (SAS 70) even though it was often misused and did little to assure the performance of service providers,” says Brian Thomas, advisory services partner for Weaver. “But, the new SOC reporting options are better focused on the current needs of outsourced service providers and their customers.”
Smart Business spoke with Thomas about the benefits of the new SOC reporting options for service organizations and their clients.
Why did the AICPA change the reporting options for service organizations?
Some of it was housekeeping. The AICPA is updating certain U.S. audit standards to harmonize them with international standards, resulting in the replacement of SAS 70 with SSAE 16 (also called SOC 1). Secondly, the SAS 70 and SysTrust reports weren’t meeting the broader needs of outsourced service providers or their customers.
SAS 70 (now SSAE 16 or SOC 1) addresses only internal controls over financial reporting and SysTrust (now SOC 3) did not provide enough detail to customers — especially at a time when companies are increasingly contracting with Software as a Service (SaaS) and cloud providers, which is raising a host of different concerns. So, while doing its housekeeping, the AICPA addressed this gap with a new option called SOC 2.
What are the new SOC reporting options?
The new SOC reporting suite features three reports called SOC 1, 2 and 3. Best of all, the reporting formats are customizable, so customers can get information tailored toward their specific needs.
- SOC 1 — This report is intended to fulfill the requirements of SAS 70 (now SSAE 16). It has been updated to match international standards and is focused on internal controls over financial reporting relevant to the service provider’s customers.
- SOC 2 — This report is valuable because it addresses a service provider’s controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system. All of these are important aspects of the non-financial performance of service providers. SOC 2 is more relevant for IT-based services and contains detailed results similar to a SOC 1
- SOC 3 (also SysTrust) — Its scope is the same as SOC 2; however, less information is provided about the results. A seal is issued that the service provider can post on its website. The accompanying report confirms only that a SOC 3 engagement was performed and the overall result without any details.
How do these new reports benefit service providers and their customers?
Alleviating the concerns of prospects and customers is one of the primary benefits for service providers. The reports may also reduce the need to accommodate auditors from client organizations because providers have to meet a fairly high audit threshold instead of self-accrediting and validating their performance using a universal set of standards.
Customers can simply review the reports and may be able to avoid the cost of auditing the service provider themselves. Also, the new reports engender trust by providing greater transparency into a service provider’s day-to-day operations, along with the assurance that a qualified auditor has examined its internal controls, compliance and performance.
How can service providers determine the best reporting format for each customer?
Certainly, the service providers should understand the needs and concerns of each customer and tailor the reports appropriately. They can also confer with the client’s auditor to determine the exact scope of their reporting concerns. The format to choose really comes down to the information and transactions handled by the outsourcer and the concerns of its customers.
For example, a client may be concerned about data confidentiality and privacy if they use any SaaS applications to manage customers and prospects, but they’ll have different concerns if they are hosting their core financial application with a service provider. It makes sense for auditors from both organizations to confer when the parties are ready to negotiate the contract and reporting requirements.
How can customers and prospects use the reports to mitigate risk and select a best-in-class service provider?
Customers must read the reports and should not assume that everything’s OK just because an auditor has ventured onto the service provider’s premises. Customers need to understand the scope of the SOC report and its relevance to the services they purchase from the service provider. Look for trends over time with the issues that are identified in their reports and request additional information from the service provider, as necessary.
Although service providers may not share the SOC reports with prospective customers, procurement specialists can develop screening criteria and RFP questions for service providers regarding the scope and issues identified in the report. Finally, don’t let the pain of implementing the new standards keep you from enjoying the gains. Thanks to the new SOC reports, customers can finally have the assurances they need to outsource with confidence.
Brian Thomas, CISA, CISSP, is an advisory services partner at Weaver. Reach him at (713) 850-8787 or email@example.com.
Service organizations and companies that rely upon these third-party service providers are in for a change. For years, service organizations had an independent CPA firm perform an audit in accordance with Statement of Auditing Standards No. 70 (SAS 70). These SAS 70 reports were provided to customers and their auditors to provide assurance they had effective internal controls related to the services being provided. On June 15, 2011, SAS 70 was effectively replaced by Statement on Standards for Attestation Engagements No. 16 (SSAE 16), which will bring added complexity while increasing the quality and utility of these engagements.
“More companies today are outsourcing different parts of their business to third-party service organizations,” says Tony Munns, who leads the IT risk advisory team at Brown Smith Wallace LLC, St. Louis, Mo. “These outsourcing relationships expose companies to additional risks related to the service organization’s systems. While activities can be outsourced, these companies still remain responsible for risk management. These standards allow service organizations to provide assurance to customers that their responsibilities are understood and being handled properly.”
Smart Business spoke with Munns about the change from SAS 70 to SSAE 16 reporting and what service organizations and their customers need to know to meet the new standards.
What are the different types of engagements that can be performed?
The AICPA has introduced three types of service organization control (SOC) reports to address controls at a service organization.
SOC 1 — This is very similar to the old SAS 70. It focuses on controls relevant to customers’ financial reporting processes. A SOC 1 engagement is generally used to provide assurances to customers and their auditors concerning their financial reporting processes.
SOC 2 and SOC 3 — These engagements are designed to focus on security, availability, processing integrity, confidentiality, or privacy principles at the service organization. These engagements allow service organizations to address certain compliance and operational risks that are often very important to customers.
In addition to SOC 1, 2 and 3, there are other AICPA attestation standards that allow auditors to perform engagements to report on a number of different subject matters.
Why do service organizations have these examinations performed?
Customers want to have confidence in the quality and reliability of activities being performed by their service providers. These engagements help service organizations build trust with customers related to their service delivery processes and controls. Some service organizations view these engagements as an opportunity to differentiate themselves from their competition, while others just see them as the cost of doing business.
How will the new standards impact service organizations?
Most importantly, service organizations now have the option to focus these engagements on areas of risk that may be important to their customers. Service organizations need to make sure they understand the needs of their customers and discuss the various options to arrive at the appropriate type of engagement.
The new standards also will place additional responsibilities on the service organization to ensure the comprehensiveness and accuracy of the information contained in the reports. Service organizations will now be responsible for providing a written assertion about the fairness of the presentation of the description of their system as well as the suitability of the design and operating effectiveness of their controls. SAS 70 allowed service organizations and auditors some flexibility regarding the scope of the engagement, which resulted in some engagements not fully addressing the customers’ needs. The new standards should help to improve the quality of these reports.
One other important aspect of the change is that SSAE 16 is based on international standards. This increases service organizations’ ability to utilize these reports on an international basis.
Does this address a service organization’s security and privacy practices?
Some organizations have incorrectly used a SAS 70 to give assurances to customers regarding their security and privacy practices. While a SAS 70 often included testing of security controls specified by the service organization, it generally did not evaluate security and privacy practices against a comprehensive and objective standard. SSAE 16 allows a service organization to do so. SOC 2 and SOC 3 engagements focus on controls addressing security, availability, processing integrity, confidentiality and the privacy of its systems and information.
How do these changes impact customers of service organizations?
These companies need to be aware of the changes and which reports best serve their needs. Companies need to understand what is being outsourced and what important risks and responsibilities are being addressed by the service provider. This will help guide what types of assurances your company requires and the reports that address those needs.
What should a service organization be doing now to prepare for the transition to SSAE 16?
Evaluate whether you have the appropriate system of internal controls, policies and procedures. People are sensitive about the impact of data breaches and the security of information, and it’s important to be able to assure clients that you are managing data with the highest integrity. The new standards impose some additional responsibilities upon the auditor and organization. While the impact will vary for each organization, service organizations should establish a defined transition approach to reduce the potential for surprises.
Tony Munns is the leader of the IT advisory team at Brown Smith Wallace LLC, St. Louis, Mo. Reach him at (314) 983-1297 or firstname.lastname@example.org.