Frequently asked questions: SOC 2 and 3

Transcription

1 1. Is the licensing requirement for a SOC 2 or 3 different than for a SOC 1? SOC reports are attestation reports issued in accordance with AICPA standards. Therefore, licensing requirements are the same for all SOC reports. These engagements should be performed by properly licensed CPAs. 2. What are the differences between a SOC 3 and a WebTrust TM or SysTrust SM? The AICPA has used the terms WebTrust and SysTrust to denote a service organization control report focused on the Trust Services Principles and Criteria that is made available to a reader through a link posted to a service organization s website. Recently, the AICPA introduced the term SOC 3 to denote this type of report. The SOC 3 report generally serves as the underlying assurance report for a WebTrust or SysTrust seal. All service auditors who want to provide the registered WebTrust or SysTrust seal must be licensed by the Canadian Institute of Chartered Accountants (CICA). Typically the seal is linked to the report issued by the service auditor. A SOC 3 report may be issued without such seals. 3. Can the same firm complete a readiness assessment for a SOC 2 or 3 if it already provides a SOC 1? Yes. However, there are certain independence matters that would need to be considered by the service auditor. The service organization would be responsible for, at a minimum, accepting and acknowledging its responsibility for the subject matter of the engagement. 4. Can a service auditor offer joint SOC 1 and 2 engagements? Yes. When a service organization s controls are relevant to a user entity s internal control over financial reporting and also to the Trust Services Principles, a service auditor may be engaged to perform both a SOC 1 and a SOC 2 engagement. However, the service auditor must report separately on each engagement. The separate reports may be included in a single bound document. 5. Are there two AICPA SOC logos or one? When can we use the logo(s)? There are three AICPA SOC logos: one ( Service Organization SOC Logo ) for service organizations obtaining a SOC report (i.e., SOC 1, SOC2 and/or SOC 3), one ( SOC 3 Seal ) for service organizations obtaining an unqualified SOC 3 report, and one ( Service Auditor CPA SOC Logo ) for licensed CPAs performing SOC examinations. When can we use the logo(s)? The Service Organization SOC Logo can be used by any service organization for a period of 12 months following the date of receiving a SOC report. If after 12 months a new report is not obtained, the service organization must stop using the Service Organization SOC Logo. A qualified opinion does not affect the use of this logo. This logo does not cost anything for the service organization to download or use it; however, the service organization must abide by the AICPA s Service Organization SOC Logo Terms, Conditions, and Guidelines. Service organizations can apply to obtain the Service Organization SOC Logo at Frequently asked questions: SOC 2 and 3 1

2 the AICPA Service Organization Control Reports Logos section at The SOC 3 Seal is specific to service organizations receiving a SOC 3 report. This seal requires the SOC 3 examination to cover one or more of the AICPA/CICA Trust Services Principles and Criteria. In addition, the SOC 3 examination must be an unqualified opinion. The service organization may display the logo on its website for 12 months from the date when the SOC 3 report is issued. The use of this logo will require a fee, which is determined by the CICA. The service organization must abide by the AICPA/CICA International Seal Usage Guide. 6. Is there an international equivalent standard to SOC 2 or 3? No. currently, there is no international equivalent to a SOC 2 or 3 report like there is for a SOC 1 report (i.e., ISAE 3402). However, the International Auditing and Assurance Standards Board has published general attestation standards (i.e., ISAE 3400). Regardless of the location, it may be may be possible to satisfy user entities with a SOC 2 or 3 report performed under AICPA standards. Service organizations with international operations may discuss their needs for an international report with their service auditor. 7. Do SOC 2 or 3 reports have a Type 1 and Type 2 like SOC 1 reports? Also, what is the minimum duration of the reporting period? Yes. SOC 2 and 3 reports can be issued as of a specified date (Type 1) or for a specified period (Type 2). For a Type 2 report, the reporting period should be useful and not misleading to users of the report. For example, a period of less than two months may not be useful, particularly if the controls are performed on a monthly or quarterly basis. 8. Is it possible to have an Other Information (section 5) in a SOC 2 report? The service organization may include other information in a separate section of the SOC 2 report. This information is not covered by the service auditor s report, which would ordinarily include a disclaimer of an opinion on the information. 9. Can we now evaluate a disaster recovery plan within a SOC 2? A disaster recovery plan itself is not a control. Accordingly, a SOC 2 engagement could not be used to evaluate the effectiveness of a disaster recovery plan. However, a SOC 2 engagement could evaluate and test certain controls, such as those related to availability, which would provide relevant information regarding controls related to such plans. 10. Can the financial statement auditors place reliance on a SOC 2 report to support their financial statement opinion? Although a SOC 2 report can be reviewed by financial statement auditors, and certain controls may be complementary to internal control over financial reporting, the SOC 2 report is not intended to be used in the completion of a financial statement audit. A SOC 1 report contains the information about controls at the service organization that may affect assertions in the user entities financial statements. Frequently asked questions: SOC 2 and 3 2

3 11. What would lead to a modified opinion, such as a qualified opinion, for a SOC 2 or 3? Similar to a SOC 1 engagement, the service auditor needs to evaluate and test the design and operating effectiveness of the controls that are in place to address the applicable criteria. If the service auditor, through field work, determines that management s description does not fairly present the system, the controls were not suitably designed to meet the criteria, or the controls were not operating effectively, this could lead to a modified opinion such as a qualified opinion. When a modified opinion is issued, management would need to also consider any necessary modifications to its assertion. 12. Are SOC 2 or 3 reports relevant to internal control examinations related to Surprise Examinations in accordance with the Custody Rule, or is that a separate circumstance? We are advising clients to obtain a SOC 1 to meet the internal control examination requirements for the SEC Custody Rule. The processes for custody of assets are financial reporting in nature, and thus, link nicely with the scope and nature of a SOC If you already have an ISO certification, would it be redundant to obtain a SOC 2 report? A SOC 2 report and an ISO certification have different objectives and users. A SOC 2 report is intended to assist service organization management in reporting to customers that it has met criteria established by the AICPA and CICA; the service auditor s report expresses an opinion covering a period of time. An ISO engagement is essentially a certification of compliance governed by the ANSI-ASQ National Accreditation Board (ANAB), an organization separate from the AICPA. The ANAB program provides for the establishment and certification of an Information Security Management System (ISMS). ISO can help organizations develop a best practice ISMS that can be certified by a registrar that has been accredited by the ISO. An ISO certification does not constitute an opinion expressed by a CPA, as contemplated by AICPA standards. 14. How do the different SOC reports address complementary user entity controls? A service organization s services may be designed based on the assumption that certain controls need to be implemented by user entities. These controls are called complementary user entity controls. In a SOC 1 and 2 engagement, the service auditor evaluates whether the service organization s description adequately describes these controls, and the service auditor s report is modified to essentially indicate that such controls are necessary but were not specifically evaluated. A SOC 3 report differs in that it is a short-form report. A service auditor considers whether complementary user entity controls are significant to achieving the applicable Trust Services Criteria. If this is the case, it could lead to a modified SOC 3 opinion. This is because in a SOC 3 engagement, all of the applicable Trust Services Criteria need to be met for an unqualified opinion. When complementary user entity controls are significant, the criteria cannot be met entirely by procedures implemented at the service organization. Frequently asked questions: SOC 2 and 3 3

4 15. How can internal auditors and audit committees contribute toward successful SOC 2 and 3 engagements? As with SOC 1 engagements, internal audit professionals can contribute to a successful SOC 2 or 3 engagement through collecting evidence requested by the service auditor, performing the monitoring controls contemplated by management in its design of controls, evaluating the operation of controls periodically throughout the reporting period, and making themselves available for questions. Audit committees can contribute by fulfilling their role as part of the corporate governance structure of the organization. 16. I am struggling to understand the carve-out method versus the inclusive method when the service organization outsources some function (e.g., data storage) to a subservice organization. What are the implications of selecting one versus the other? Is one more involved than the other? What if that subservice organization itself obtains its own "clean" SOC 2 report? How does that affect what needs to be in the service organization's system description? Generally, a service organization that outsources one or more of its functions can elect whether or not to include those functions as part of its SOC 2 report. If the organization choses to include those functions, it would follow the inclusive method. The inclusive method requires the service organization to describe the controls performed by the subservice organization, and management of the subservice organization is required to supply a management assertion letter. The subservice organization is covered by the service auditor s report, and controls at the subservice organization are evaluated. On the other hand, if the service organization elected to exclude the subservice organization s functions from its report, it would follow the carve-out method. Under this method, the service organization needs only to refer to the performance of activities by the subservice organization within the description of the system. The subservice organization would not be covered by the service auditor s report, and the service auditor would not evaluate the controls at the subservice organization. 17. Where can we get our hands on some actual SOC 2 reports to see some samples or examples of how different companies approach their system description? Unfortunately, the use of a SOC 2 report is restricted and, therefore, distribution is limited. The AICPA is currently drafting an example SOC 2 report. 18. Why would Processing Integrity ordinarily be covered by a SOC 2 or 3 report, rather than a SOC 1 report? Processing Integrity is one of the five Trust Services Principles covered by SOC 2 and 3 reports, and defined criteria have been established relating to this principle. If a service organization would like to report on controls relating to this principle, a SOC 2 or 3 report is the reporting vehicle to use. Separately, a SOC 1 report covers controls that are likely to be relevant to a user entity s internal controls over financial reporting. Depending on the service organization s offerings, certain criteria or control activities associated with the Processing Integrity principle could also be relevant to a client s internal control over financial reporting and therefore could be incorporated within the control activities evaluated within a SOC 1. However, in this case, the service auditor would not indicate that the Processing Integrity principle had been met; he or she would use the standard SOC 1 opinion language and criteria. Frequently asked questions: SOC 2 and 3 4

5 19. With the proliferation of cloud reporting and concerns over security, are auditors raising the bar relative to internal controls? With the proliferation of cloud-based systems and the fact that many companies are turning to thirdparties that offer cloud-based solutions, the need for assurance on controls is certainly increasing. We anticipate that user entities will begin to more frequently request SOC 2 reports that focus on the security and availability principles. However, the standards that auditors must comply with relative to these reports are the same as it has been in the past. 20. Who are the intended users of a SOC 2 or 3 report? A SOC 2 report is intended solely for the information and use of the service organization and users of the service organizations system during some or all of the reporting period; and prospective user entities, independent auditors, and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following; (1) the nature of the service provided by the company; (2) how the company s system interacts with user entities, subservice organizations and other parties; (3) internal control and its limitations; (4) complementary user-entity controls and how they interact with related controls at the company to meet the applicable Trust Services Criteria; and (5) the applicable Trust Services Criteria and the risks that they may threaten the achievement of the applicable Trust Services Criteria and how controls address those risks. References to customers within a SOC 2 report are intended to refer to the customers of a service organization. Customers of user organizations that rely upon the service organization for services would also considered customers of the service organization. A SOC 3 report is a general use report and is posted to a service organization s website for accessibility. 21. Are there still concerns about the inappropriate use of SOC 1 reports for controls other than financial reporting? Yes, the need to apply the most relevant attestation standard to the subject matter is still important. Interestingly, the different types of attestation reports that are available can look very much alike, and it is possible for a user organization or auditor to obtain benefit from a variety of attestation reports. The key is for the users of the report to understand it and evaluate what benefits may be derived. 22. Where can the prescribed criteria for each of the Trust Services Principles be obtained? The Trust Services Principles, Criteria, and Illustrations are available through the AICPA website: /PC jsp. 23. Are SOC reports applicable to private companies? Yes. A SOC report may be obtained for a private company. Generally, the undertaking of a SOC engagement originates from the desire of management to demonstrate its commitment to a formal control environment and a goal of continual improvement, or to satisfy the requirements of a user organization. Frequently asked questions: SOC 2 and 3 5

6 24. Can the controls covered by a SOC 2 report be limited to avoid reporting identified exceptions? The controls covered by a SOC 2 report follow prescribed Trust Services Principles and Criteria outlined in TSP Section 100. A service organization may elect to have a SOC 2 engagement covering any or all of the Trust Services Principles, and this decision may be made considering user requests. The service auditor will not typically exclude principles unless the service organization can present a valid case for doing so. For more information, contact a member of our Special Attestation Reports Solution Group: Kirt Seale National and Central Region Leader T E kirt.seale@us.gt.com Dennis Bell Northeast Region Leader T E dennis.bell@us.gt.com Vincent Concialdi Midwest Region Leader T E vincent.concialdi@us.gt.com Brett Williams Southeast Region Leader T E brett.williams@us.gt.com Jeff Spivack West Region Leader T E jeff.spivack@us.gt.com About Grant Thornton LLP The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information on the issues discussed, consult a Grant Thornton client service partner. Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd Frequently asked questions: SOC 2 and 3 6