SOC Reports – FAQ

The AICPA developed and revised FAQs – New Service Organization Standards and Implementation Guidance to assist in the implementation of Statements on Standards for Attestation Engagements (SSAE) 16, SOC 1 and SOC 2. The following are questions and answers from that report that are most pressing to businesses.

The Statement on Auditing Standards (SASs) primarily provide guidance on reporting on an audit of financial statements, whereas the SSAEs primarily provide guidance on reporting on other subject matter. In a service auditor’s engagement under SSAE No. 16, and also under SAS No. 70, the practitioner reports on a service organization’s description of its system and on the service organization’s controls relevant to user entities’ Internal Control over Financial Reporting (ICFR). Because an examination of a description of a system and controls is not an audit of financial statements, the Auditing Standards Board (ASB) concluded that the new standard should be placed in the attestation standards, along with SSAE No. 15, An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements (AICPA, Professional Standards, AT sec. 501), in which a CPA reports on an entity’s own controls over financial reporting. SSAE No. 16 is a product of the ASB’s project to clarify its standards and to converge with standards of the International Auditing and Assurance Standards Board (IAASB). The IAASB’s standard for service auditors, International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization, is included in its assurance standards (the equivalent of the attestation standards). Accordingly, the guidance for service auditors was moved to the attestation standards.

Have significant changes been made to Statements on Standards for Attestation Engagements (SSAE) No. 16 that will affect service auditors’ engagements?

 The following are the three major changes introduced by SSAE No. 16:

  1. Management of the service organization will now be required to provide the service auditor with a written assertion about the fairness of the presentation of management’s description of the service organization’s system, the suitability of the design of the controls included in the description and, in a type 2 engagement, the operating effectiveness of those controls. That assertion will either be attached to or included in the service organization’s description of its system.
  1. In a type 2 engagement, the description of the service organization’s system and the service auditor’s opinion on the description will cover a period (the same period as the period covered by the service auditor’s tests of the operating effectiveness of controls). In Statement on Auditing Standards (SAS) No. 70, the description of the service organization’s system in a type 2 report was as of a specified date, rather than for a period.
  1. The service auditor is required to identify, in the description of tests of controls, any tests of controls performed by the internal audit function (other than those performed in a direct assistance capacity) and the service auditor’s procedures with respect to that work. Tests of controls are procedures designed to evaluate the operating effectiveness of controls in achieving the control objectives stated in management’s description of the service organization’s system.

Will the guidance for user auditors change, and will it remain in the auditing standards?

The guidance for user auditors, currently in AU section 324 of the Statement on Auditing Standards (SASs), will be unchanged until the new SAS for user auditors, which has been approved by the ASB, becomes effective. The new SAS does not contain any significant changes for user auditors. However, the ASB believes that because the new SAS is written in clarity format, it will be easier for user auditors to use and, thereby, meet their responsibilities. The new guidance for user auditors will remain in the SASs.

Should service organizations use SOC 1 reports to market their services to potential customers?

No. The nature of the services performed at a service organization, how they are performed, and the controls over those services differ for each service organization. A service auditor’s report provides useful information only to an entity that actually uses those services and needs that information to make decisions about its own Internal Control over Financial Reporting (ICFR). As a result, use of a SOC 1 report (as with a Statement on Auditing Standards (SAS) No. 70 report) is restricted to management of the service organization, user entities that are customers of the service organization, and user auditors. A SOC 1 report is not intended to be used as a marketing or sales tool by the client.

Will entities now become “SSAE 16 certified”?

No. A popular misconception about Statement on Auditing Standards (SAS) No. 70 is that a service organization becomes “certified” as SAS No. 70 compliant after undergoing a type 1 or type 2 service auditor’s engagement. No such certification exists under SAS No. 70 nor does it exist under Statements on Standards for Attestation Engagements (SSAE) No. 16. An SSAE 16 report (as with a SAS No. 70 report) is primarily an auditor-to-auditor communication, the purpose of which is to provide user auditors with information about controls at a service organization that are relevant to the user entities’ Internal Control over Financial Reporting (ICFR).

What does SOC stand for and how will the term be used? Are SOC 1 and SOC 2 professional standards?

SOC stands for “service organization controls,” as in service organization controls report or service organization controls engagement. The term SOC is part of the AICPA’s branding efforts to better communicate the engagement and reporting options available to CPAs when reporting on controls at a service organization. Statements on Standards for Attestation Engagements (SSAE) No. 16 is the official standard that establishes the requirements and guidance for performing a SOC 1 engagement. AT section 101, Attest Engagements, is the official standard for SOC 2 and SOC 3 engagements. The SOC 1 and SOC 2 guides are authoritative guides that have been cleared by the AICPA’s ASB. AT section 50, SSAE Hierarchy, classifies attestation guidance included in an AICPA guide as an interpretive publication and indicates that a practitioner should be aware of and consider interpretive publications applicable to his or her examination. If a practitioner does not apply the attestation guidance included in an applicable interpretive publication, the practitioner should be prepared to explain how he or she complied with the SSAE provisions addressed by such attestation guidance.

Now that Statements on Standards for Attestation Engagements (SSAE) No.16 has been issued, what is the appropriate manner to refer to reports previously issued under Statement on Auditing Standards (SAS) No. 70, Service Organizations? Should they be referred to as SOC 1 reports?

They will most likely be referred to as Statements on Standards for Attestation Engagements (SSAE) 16 reports or SOC 1 reports. One of the advantages of using the term SOC is that it is a one syllable word that is easy to say; whereas, the term SSAE is a 4 syllable word that may be more difficult to remember and say.

Has the existing AICPA Guide Service Organizations: Applying Statement on Auditing Standards (SAS) No. 70, as Amended (commonly known as the SAS 70 guide) been rewritten to reflect Statements on Standards for Attestation Engagements (SSAE) No. 16?

Yes. The existing guide has been overhauled and rewritten to reflect the requirements and guidance in SSAE No. 16. Both the electronic and print versions of the revised guide are available at the AICPA store.

May Statements on Standards for Attestation Engagements (SSAE) No. 16 be used for reporting on controls over subject matter other than user entities’ Internal Control over Financial Reporting (ICFR)? If not, what standard should be used for such engagements?

No. SSAE No. 16 does not apply to examinations of controls over subject matter other than user entities’ ICFR, and neither does Statement on Auditing Standards (SAS) No. 70. Such engagements would be performed under AT section 101 of the attestation standards. The new AICPA guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2 guide) uses AT section 101 as a framework for reporting on the effectiveness of controls relevant to security, availability, processing integrity, confidentiality, or privacy.

The increasing use of cloud computing companies (which provide user entities with on-demand network access to a shared pool of computing resources, such as networks, servers, storage, applications, and services) has created an increasing demand for CPAs to report on nonfinancial reporting controls implemented by cloud computing service providers.

How can I purchase the SOC 2 guide?

Both the electronic and print versions of the SOC 2 guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy can be purchased online at the AICPA store.

Does Statements on Standards for Attestation Engagements (SSAE) No. 16 require that a type 2 report cover a minimum period? If so, does that period differ from the minimum period in Statement on Auditing Standards (SAS) No. 70?

Both SSAE No. 16 and SAS No. 70 discourage the service auditor from performing a type 2 engagement that covers a period of less than six months. Paragraph A42 of SSAE No. 16 indicates that a type 2 report that covers a period of less than six months is unlikely to be useful to user entities and their auditors. However, there are certain limited circumstances, such as the following, in which a type 2 report covering less than six months may be considered.

  • The service auditor was engaged close to the date by which the report on controls is to be issued, precluding the service auditor from testing the operating effectiveness of controls for a six month period.
  • The service organization or a particular system or application has been in operation for less than six months.
  • Significant changes have been made to the controls, and it is not practicable either to wait six months before issuing a report or to issue a report covering the system both before and after the changes.

Does the SOC 2 guide require that a type 2 report cover a specified minimum period?

The SOC 2 guide does not prescribe a minimum period of coverage for a SOC 2 report. However paragraph 2.09 of the SOC 2 guide states that one of the relevant factors to consider when determining whether to accept or continue a SOC 2 engagement is the period covered by the report. The guide presents an example of a service organization that wishes to engage a service auditor to perform a type 2 engagement for a period of less than two months. It further states that in those circumstances, the service auditor should consider whether a report covering that period will be useful to users of the report, particularly if many of the controls related to the applicable trust services criteria are performed on a monthly or quarterly basis. The practitioner would need to use professional judgment in determining whether the report covers a sufficient period.

Does Statements on Standards for Attestation Engagements (SSAE) No. 16 require that management’s assertion accompany the service organization’s description of its system?

Yes. Paragraph 9c vii of SSAE No. 16 states that one of the conditions for engagement acceptance or continuance is that management provide a written assertion that will be included in or attached to management’s description of the service organization’s system.

In a SOC 2 engagement, does management’s assertion need to accompany the service organization’s description of its system?

Paragraph 2.13 (b) of the SOC 2 guide states, in part, that a service auditor ordinarily should accept or continue an engagement to report on controls at a service organization only if management of the service organization acknowledges and accepts responsibility for … “providing a written assertion that will be attached to management’s description of the service organization’s system and provided to users.” The recommendation in the SOC 2 guide is that the assertion be attached to the description, rather than included in the description to avoid the impression that the practitioner is reporting on the assertion rather than on the subject matter.

Are there a prescribed set of control objectives for SOC 2 and SOC 3 engagements?

In SOC 2 and SOC 3 engagements, the service auditor uses the criteria in TSP section 100 (Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids)), for evaluating and reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy. In TSP section 100, these five attributes of a system are known as principles. A service auditor may be engaged to report on a description of a service organization’s system and the suitability of the design and operating effectiveness of controls relevant to one or more of the trust services principles The criteria in TSP section 100 that are applicable to the principle(s) being reported on are known as the applicable trust services criteria. Accordingly, in every SOC 2 and SOC 3 engagement that addresses the same principle(s), the criteria will be the same (the applicable trust services criteria).