What do the following three terms have in common?
The simple answer is that all these terms are inter linked in some way and are assurances over outsourced operations. In other words a SAS 70 report, a SSAE16 auditor report etc give assurance to the user of the audit report that
the internal controls at the service provider are effective if the report is unqualified.
With increased globalization, outsourcing seems to be the business mantra. Companies outsource systems, business processes and data processing. All outsourcing is done with an assumption that the operational risk at the service provider will be effectively managed and that the service provider is able to build a robust internal control framework.
In doing so, user organisation (the company that outsources the activities) needs to gain comfort that the data, processes, inputs and outputs at the service provider location are effectively handled and does not expose user organisation to any reputation or other risks.
Till recently, this was done using SAS 70 reports [Statement on Auditing Standards 70]. This gave organisation a broad comfort over the controls at service provider.
However, the biggest weakness of SAS 70 reporting was its main focus was on risks relating to internal control over financial reporting. But what about risks such as give below.
1. Systems are not available at service provide to process information
2. Data confidentially of client/customer information
3. What type of security is available so that information assets are protected.
Need for a CPA review/audit
As per AICPA website, "A CPA may be engaged to examine and report on controls at a service organization related to various types of subject matter, for example, controls that affect user entities’ financial reporting or controls that affect the security, availability, and processing integrity of the systems or the confidentiality or privacy of the information processed for user entities’ customers."
For this purpose and to address varying requirement of the engagement, AICPA has introduced SERIVICE ORGANISATION CONTROL (SOC)Reports. There are three types of SOC reports and you guessed it right. SOC1,SOC2 and SOC3.
SSAE 16 has two types of reports.
1. A Type 1 report is one in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the design effectiveness of the controls. It is merely saying that the organisation has built in controls to manage and process information in manner that will ensure that the user organization does not have material misstatement of its financial statements.
An example can make it clear. Let us suppose the service provider is processing Accounts Payable invoices. Then an excel error at the outsourced service provider may result in the provider understating liability (AP balances) because the updated excel sheet was not used for reporting to User organisation and 100 invoices that were received, recorded but wrongly summarized and reported.
2. A type 2 report is one in which in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system, opinion on the design effectiveness of the controls AND on the operating effectiveness of these controls. So, type 3 report can only be issued once the controls have been tested for their operating effectiveness.
The purpose of the SOC 2 report is to provide an assurance or an opinion on the level of trust and assurance that user auditor and user organisation can derive from the system that the service organization has deployed that
effectively mitigate operational and compliance risks.
SOC 2 report demonstrates an independent auditor’s review of a service organization’s application of criteria related to one or more of the Trust Services Principles, which are: