The AICPA developed and revised FAQs – New Service Organization Standards and Implementation Guidance to assist in the implementation of Statements on Standards for Attestation Engagements (SSAE) 18, SOC 1, SOC 2 and SOC 3. The following are questions and answers from that report that are most pressing to businesses.
The Statement on Auditing Standards (SASs) primarily provide guidance on reporting on an audit of financial statements, whereas the SSAEs primarily provide guidance on reporting on other subject matter. In a service auditor’s engagement under SSAE No. 18, and also under SAS No. 70, the practitioner reports on a service organization’s description of its system and on the service organization’s controls relevant to user entities’ Internal Control over Financial Reporting (ICFR). Because an examination of a description of a system and controls is not an audit of financial statements, the Auditing Standards Board (ASB) concluded that the new standard should be placed in the attestation standards, along with SSAE No. 15, An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements (AICPA, Professional Standards, AT sec. 501), in which a CPA reports on an entity’s own controls over financial reporting. SSAE No. 18 is a product of the ASB’s project to clarify its standards and to converge with standards of the International Auditing and Assurance Standards Board (IAASB). The IAASB’s standard for service auditors, International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization, is included in its assurance standards (the equivalent of the attestation standards). Accordingly, the guidance for service auditors was moved to the attestation standards.
Have significant changes been made to Statements on Standards for Attestation Engagements (SSAE) No. 18 that will affect service auditors’ engagements?
The biggest change from SSAE 16 to SSAE 18 relates to the monitoring of subservice organizations. A subservice organization is a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal controls over financial reporting. SSAE 18 requires controls to be implemented that monitor the effectiveness of controls at the subservice organization.
When is SOC 2 more appropriate than a SOC for Cybersecurity?
In our experience, the SOC 2 is increasingly valuable in business to business compliance and assurance. It continues to expand in usefulness as a tool to meet other requirement standards (i.e. GDPR, HIPAA & PCI) that require detailed oversight of third-party vendors. We are seeing many businesses expand from a basic SOC 2 Security report to SOC 2 Security + HITRUST or SOC 2 Security, Availability and Confidentiality. This demonstrates that they are expanding their control environment and better protecting their responsibilities to their customers.
When is SOC for Cybersecurity more appropriate than a SOC 2?
We are finding that the SOC for Cybersecurity is especially useful for larger enterprises that need a measurement of their own cybersecurity posture. This is meeting the need to quantify risk over time for board members who want to know if cybersecurity risks are being adequately mitigated. It is a great way to measure whether very specific controls have improved from year to year.
How can I learn more about SOC for Cybersecurity?
For a more detailed comparison, see the downloadable SOC 2 and SOC for Cybersecurity comparison sheet from the AICPA’s website here.
Does the SOC 2 guide require that a type 2 report cover a specified minimum period?
The SOC 2 guide does not prescribe a minimum period of coverage for a SOC 2 report. However paragraph 2.09 of the SOC 2 guide states that one of the relevant factors to consider when determining whether to accept or continue a SOC 2 engagement is the period covered by the report. The guide presents an example of a service organization that wishes to engage a service auditor to perform a type 2 engagement for a period of less than two months. It further states that in those circumstances, the service auditor should consider whether a report covering that period will be useful to users of the report, particularly if many of the controls related to the applicable trust services criteria are performed on a monthly or quarterly basis. The practitioner would need to use professional judgment in determining whether the report covers a sufficient period.
Are there a prescribed set of control objectives for SOC 2 and SOC 3 engagements?
In SOC 2 and SOC 3 engagements, the service auditor uses the criteria in TSP section 100 (Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids)), for evaluating and reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy. In TSP section 100, these five attributes of a system are known as principles. A service auditor may be engaged to report on a description of a service organization’s system and the suitability of the design and operating effectiveness of controls relevant to one or more of the trust services principles The criteria in TSP section 100 that are applicable to the principle(s) being reported on are known as the applicable trust services criteria. Accordingly, in every SOC 2 and SOC 3 engagement that addresses the same principle(s), the criteria will be the same (the applicable trust services criteria).