The AICPA’s December 2019 exposure draft, “Maintaining the Relevance of the Uniform CPA Examination,” includes a discussion of the growing importance of “SOC 1 reports,” as businesses are increasingly outsourcing information systems management, data processing, and data storage to third parties (http://bit.ly/36CVv4U). SOC 1 reports are designed to assist service organizations and auditors in evaluating the effect of System Organization Controls for Service Organizations (SOC) on the financial statements. The AICPA has indicated that while it continues to study whether newly licensed CPAs should be familiar with SOCs, it will increase the emphasis of this topic on the Audit and Business Environment and Concepts sections of the CPA Exam.
As a brief background, the SOC series of reports fall under ATC section 320, “Reporting on Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting,” and Statements on Standards for Attestation Engagements (SSAE) 18 (formerly 16), Attestation Standards: Clarification and Recodifying, originally effective beginning in 2011. Four reports exist currently:
- SOC 1—SOC for Service Organizations: ICFR, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
- SOC 2—SOC for Service Organizations: Trust Services Criteria, Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
- SOC 3—SOC for Service Organizations: Trust Services Criteria for General Use Report
- SOC for Cybersecurity, which applies to all types of organizations.
“Trust services” refers to assurance services constructed on a set of principles and criteria; these are used in the SOC 2 and 3 reports. The Trust Services Principles and Criteria were developed under a joint project by the AICPA and the Canadian Institute of Chartered Accountants (CICA). This month’s column takes a look at some free SOC materials.
AICPA SOC Resources
The AICPA website offers access to its System and Organization Controls: SOC Suite of Services section of the Financial Reporting Center (https://www.aicpa.org/SOC). The main SOC page serves as a launching point to access SOC for Service Organizations and SOC for Cybersecurity. Most of the free materials are targeted to organization management (i.e., users) but can still be quite useful for CPAs. In addition, the SOC webpages highlight the AICPA’s commercial resources, which can be helpful for CPAs who would like to become more knowledgeable in this area.
The SOC for Service Organizations webpage presents resources for CPAs, users and user entities, and service organizations (http://bit.ly/37HHNPg). Starting with the SOC for Service Organizations: Information for Service Organizations subsidiary page, readers can find summary descriptions of SOC 1, SOC 2, and SOC 3, along with a comparison of the key issues being addressed in each type of report (http://bit.ly/2EhFN3A). A 40-page downloadable PDF, “Information for Service Organization Management,” provides an overview and discussion of the criteria for each of the SOCs, including the SOC for Cybersecurity, and it also covers management’s and auditors’ assertions (http://bit.ly/2Gy75Uj).
The CPA subsidiary page includes a comparison table of the engagement standards and report contents for SOC 1, SOC 2, and SOC 3 reports (http://bit.ly/2RFhBPR). SOC 2 and SOC for Cybersecurity examinations both address cybersecurity controls as part of their reviews, so it is important to understand how they differ; the AICPA offers two documents that cover this issue. “SOC 2 and SOC for Cybersecurity: How They’re Different and How They Can Help Us” is a two-page brochure that provides a quick comparison table between SOC 2 for service organizations and SOC for Cybersecurity for any type of organization. The table covers the targeted users, the purpose, the control criteria, and the contents of the management assertions and the CPA’s report (http://bit.ly/3aRioF7). For a more detailed discussion, a 14-page whitepaper “SOC 2 Examinations and SOC for Cybersecurity Examinations: Understanding the Key Differences” provides background information on both types of audits. The booklet describes the report content and includes helpful hypothetical examples for which each examination is intended (http://bit.ly/2RXqsve).
The SOC for Service Organizations: Information for Users and User Entities webpage (http://bit.ly/2uMVwWq) links to a joint AICPA and Information Systems Audit and Control Association (ISACA) 58-page “SOC 2 User Guide for Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy,” published in 2012 and hosted on ISACA’s website. The guidebook describes SOC 1, SOC 2, and SOC 3 reports, then focuses on SOC 2 reports, including the purpose, standards, and interpretation (http://bit.ly/3aY1wfA).
The SOC for Service Organizations main page presents several for-purchase resources, along with some free materials (http://bit.ly/37HHNPg). “Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy” is a 342-page reference book detailing the Trust Services Principles that are used to provide advisory or attestation services on SOC engagements (http://bit.ly/2WQVTIE). Appendix B includes a helpful illustration of risks and controls for an example organization. The webpage also includes access to two Excel tables that map the Trust Services Criteria onto COSO principles and NIST 800-53 standards.
The SOC for Cybersecurity web-pages are organized similarly to the SOCs for Service Organizations, and can also be accessed from the SOC main page (https://www.aicpa.org/SOC).
The resources described above have a noticeable focus on SOC 2; many newer users, however, may be better served to begin with SOC 1, which has a narrower focus on internal controls over financial reporting. In addition, SOC 1 appears to be the starting point for CPA exam coverage. The AICPA presents an excellent free resource in the “Audit and Attest” section of its website (https://www.aicpa.org/interestareas/frc/auditattest.html). Specifically, last year the Service Organizations Task Force of the Auditing Standards Board (ASB) issued a 104-page guidebook, “Information for Management of a Service Organization in a SOC 1 Engagement,” in order to assist management in working with auditors (http://bit.ly/36KYuZb). The booklet discusses management’s role and activities in the planning, evaluation, and reporting phases. Planning includes selecting criteria, specifying control objectives, and describing the service organization’s system. Evaluation concerns coordinating with the auditor and preparing management’s assertion. Reporting addresses not only the management assertion, but also understanding the auditor’s report. The guidebook presents six excellent appendices with useful examples such as an outline of a system description, a management assertion, types of assertions and the related risks, and illustrative control objectives for several different scenarios.
The SSAE16.com website (http://ssae16.com/index.html) was launched in July 2010, shortly after the standard was issued, by a CPA who professes to have “several years of experience in performing and managing SAS 70 service auditor examinations.” SSAE 16 was obviously replaced by SSAE 18, but the resources on this website are still quite useful and provide more of an emphasis on SOC 1 than the AICPA materials discussed above (http://bit.ly/2ObXqqt). It also has a good explanation of trust services, as well as historical background leading to SOC engagements.
SSAE16.com has a great collection of links (http://bit.ly/3aTt0mI) to more than a dozen professional organizations and governmental bodies, such as the International Auditing and Assurance Standards Board (IAASB), Information Systems Audit and Control Association (ISACA), and Canadian Institute of Chartered Accountants (CICA).
SSAE16.com is part of a group of related websites, including SAS70.com, and ISAE3402.com. Statement on Auditing Standards (SAS) 70 was the predecessor to SSAE 16, while International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization, was issued by the IAASB in 2009, and was a precursor to SSAE 16.