Frequently asked questions: SOC 2 and 3

Similar documents
G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

FAQs New Service Organization Standards and Implementation Guidance

Information for Management of a Service Organization

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Goodbye, SAS 70! Hello, SSAE 16!

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

Guide to Understanding SAS 70 Reports

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

Service Organization Control Reports

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

SECURITY AND EXTERNAL SERVICE PROVIDERS

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Service Organization Control (SOC) Reports

SAS No. 70, Service Organizations

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Vendor Management Best Practices

Shared Service System Audits: What User Management and Auditors Need to Know

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

Service Organization Control (SOC) reports What are they?

Asset Manager Guide to SAS 70. Issue Date: October 7, Asset

OUTSOURCING AND SERVICE AUDITOR S REPORTS

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Ayla Networks, Inc. SOC 3 SysTrust 2015

How To Understand The Benefits Of An Internal Audit

Managing data security and privacy risk of third-party vendors

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

Reporting on Controls at a Service Organization

Public Accounting Licence Requirements for Assurance Engagements Specified in the CICA Handbook -- Assurance

Update on AICPA Assurance Services Executive Committee Activities

Sarbanes-Oxley Section 404: Management s Assessment Process

Financial Forecasts and Projections

WEBTRUST SM/TM FOR CERTIFICATION AUTHORITIES EXTENDED VALIDATION AUDIT CRITERIA Version 1.1 CA/BROWSER FORUM

Service Organization Control 3 Report

SSAE 16 SOC 1 Type 2

Cybersecurity and the AICPA Cybersecurity Attestation Project

SOC 3 for Security and Availability

Report of Independent Accountants. To the Management of Verizon Communications Inc. Verizon Business IP Application Hosting:

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION

Audit Considerations Relating to an Entity Using a Service Organization

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Valuing and Reporting Plan Investments

PKI Audit Methodology

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor)

Agreed-Upon Procedures Engagements

Understanding ISO and Preparing for the Modern Era of Cloud Security

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

AICPA Technical Hotline's Top A&A Issues Facing CPAs

The Audit Plan for West Mercia Energy Joint Committee

Arkansas State Board of Public Accountancy

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011

Cloud Computing An Auditor s Perspective

Management Systems Recognition Booklet

CSA Position Paper on AICPA Service Organization Control Reports

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability

Compilation of Financial Statements: Accounting and Review Services Interpretations of Section 80

The Elephant in the Room: What s the Buzz Around Cloud Computing?

IAASB Main Agenda (June 2010) Agenda Item. April 28, 2009

3.B METHODOLOGY SERVICE PROVIDER

Focus on Forensics. Providing valuable insights to corporate decision-makers and their legal counsel May 2009

Is Business Continuity Certification Right for Your Organization?

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

Cloud Computing: What Accountants Need to Know

SEC auditor independence considerations

Transcription:

1. Is the licensing requirement for a SOC 2 or 3 different than for a SOC 1? SOC reports are attestation reports issued in accordance with AICPA standards. Therefore, licensing requirements are the same for all SOC reports. These engagements should be performed by properly licensed CPAs. 2. What are the differences between a SOC 3 and a WebTrust TM or SysTrust SM? The AICPA has used the terms WebTrust and SysTrust to denote a service organization control report focused on the Trust Services Principles and Criteria that is made available to a reader through a link posted to a service organization s website. Recently, the AICPA introduced the term SOC 3 to denote this type of report. The SOC 3 report generally serves as the underlying assurance report for a WebTrust or SysTrust seal. All service auditors who want to provide the registered WebTrust or SysTrust seal must be licensed by the Canadian Institute of Chartered Accountants (CICA). Typically the seal is linked to the report issued by the service auditor. A SOC 3 report may be issued without such seals. 3. Can the same firm complete a readiness assessment for a SOC 2 or 3 if it already provides a SOC 1? Yes. However, there are certain independence matters that would need to be considered by the service auditor. The service organization would be responsible for, at a minimum, accepting and acknowledging its responsibility for the subject matter of the engagement. 4. Can a service auditor offer joint SOC 1 and 2 engagements? Yes. When a service organization s controls are relevant to a user entity s internal control over financial reporting and also to the Trust Services Principles, a service auditor may be engaged to perform both a SOC 1 and a SOC 2 engagement. However, the service auditor must report separately on each engagement. The separate reports may be included in a single bound document. 5. Are there two AICPA SOC logos or one? When can we use the logo(s)? There are three AICPA SOC logos: one ( Service Organization SOC Logo ) for service organizations obtaining a SOC report (i.e., SOC 1, SOC2 and/or SOC 3), one ( SOC 3 Seal ) for service organizations obtaining an unqualified SOC 3 report, and one ( Service Auditor CPA SOC Logo ) for licensed CPAs performing SOC examinations. When can we use the logo(s)? The Service Organization SOC Logo can be used by any service organization for a period of 12 months following the date of receiving a SOC report. If after 12 months a new report is not obtained, the service organization must stop using the Service Organization SOC Logo. A qualified opinion does not affect the use of this logo. This logo does not cost anything for the service organization to download or use it; however, the service organization must abide by the AICPA s Service Organization SOC Logo Terms, Conditions, and Guidelines. Service organizations can apply to obtain the Service Organization SOC Logo at Frequently asked questions: SOC 2 and 3 1

the AICPA Service Organization Control Reports Logos section at http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/soclogosinfo.aspx. The SOC 3 Seal is specific to service organizations receiving a SOC 3 report. This seal requires the SOC 3 examination to cover one or more of the AICPA/CICA Trust Services Principles and Criteria. In addition, the SOC 3 examination must be an unqualified opinion. The service organization may display the logo on its website for 12 months from the date when the SOC 3 report is issued. The use of this logo will require a fee, which is determined by the CICA. The service organization must abide by the AICPA/CICA International Seal Usage Guide. 6. Is there an international equivalent standard to SOC 2 or 3? No. currently, there is no international equivalent to a SOC 2 or 3 report like there is for a SOC 1 report (i.e., ISAE 3402). However, the International Auditing and Assurance Standards Board has published general attestation standards (i.e., ISAE 3400). Regardless of the location, it may be may be possible to satisfy user entities with a SOC 2 or 3 report performed under AICPA standards. Service organizations with international operations may discuss their needs for an international report with their service auditor. 7. Do SOC 2 or 3 reports have a Type 1 and Type 2 like SOC 1 reports? Also, what is the minimum duration of the reporting period? Yes. SOC 2 and 3 reports can be issued as of a specified date (Type 1) or for a specified period (Type 2). For a Type 2 report, the reporting period should be useful and not misleading to users of the report. For example, a period of less than two months may not be useful, particularly if the controls are performed on a monthly or quarterly basis. 8. Is it possible to have an Other Information (section 5) in a SOC 2 report? The service organization may include other information in a separate section of the SOC 2 report. This information is not covered by the service auditor s report, which would ordinarily include a disclaimer of an opinion on the information. 9. Can we now evaluate a disaster recovery plan within a SOC 2? A disaster recovery plan itself is not a control. Accordingly, a SOC 2 engagement could not be used to evaluate the effectiveness of a disaster recovery plan. However, a SOC 2 engagement could evaluate and test certain controls, such as those related to availability, which would provide relevant information regarding controls related to such plans. 10. Can the financial statement auditors place reliance on a SOC 2 report to support their financial statement opinion? Although a SOC 2 report can be reviewed by financial statement auditors, and certain controls may be complementary to internal control over financial reporting, the SOC 2 report is not intended to be used in the completion of a financial statement audit. A SOC 1 report contains the information about controls at the service organization that may affect assertions in the user entities financial statements. Frequently asked questions: SOC 2 and 3 2

11. What would lead to a modified opinion, such as a qualified opinion, for a SOC 2 or 3? Similar to a SOC 1 engagement, the service auditor needs to evaluate and test the design and operating effectiveness of the controls that are in place to address the applicable criteria. If the service auditor, through field work, determines that management s description does not fairly present the system, the controls were not suitably designed to meet the criteria, or the controls were not operating effectively, this could lead to a modified opinion such as a qualified opinion. When a modified opinion is issued, management would need to also consider any necessary modifications to its assertion. 12. Are SOC 2 or 3 reports relevant to internal control examinations related to Surprise Examinations in accordance with the Custody Rule, or is that a separate circumstance? We are advising clients to obtain a SOC 1 to meet the internal control examination requirements for the SEC Custody Rule. The processes for custody of assets are financial reporting in nature, and thus, link nicely with the scope and nature of a SOC 1. 13. If you already have an ISO 27001 certification, would it be redundant to obtain a SOC 2 report? A SOC 2 report and an ISO certification have different objectives and users. A SOC 2 report is intended to assist service organization management in reporting to customers that it has met criteria established by the AICPA and CICA; the service auditor s report expresses an opinion covering a period of time. An ISO 27001 engagement is essentially a certification of compliance governed by the ANSI-ASQ National Accreditation Board (ANAB), an organization separate from the AICPA. The ANAB program provides for the establishment and certification of an Information Security Management System (ISMS). ISO 27001 can help organizations develop a best practice ISMS that can be certified by a registrar that has been accredited by the ISO. An ISO 27001 certification does not constitute an opinion expressed by a CPA, as contemplated by AICPA standards. 14. How do the different SOC reports address complementary user entity controls? A service organization s services may be designed based on the assumption that certain controls need to be implemented by user entities. These controls are called complementary user entity controls. In a SOC 1 and 2 engagement, the service auditor evaluates whether the service organization s description adequately describes these controls, and the service auditor s report is modified to essentially indicate that such controls are necessary but were not specifically evaluated. A SOC 3 report differs in that it is a short-form report. A service auditor considers whether complementary user entity controls are significant to achieving the applicable Trust Services Criteria. If this is the case, it could lead to a modified SOC 3 opinion. This is because in a SOC 3 engagement, all of the applicable Trust Services Criteria need to be met for an unqualified opinion. When complementary user entity controls are significant, the criteria cannot be met entirely by procedures implemented at the service organization. Frequently asked questions: SOC 2 and 3 3

15. How can internal auditors and audit committees contribute toward successful SOC 2 and 3 engagements? As with SOC 1 engagements, internal audit professionals can contribute to a successful SOC 2 or 3 engagement through collecting evidence requested by the service auditor, performing the monitoring controls contemplated by management in its design of controls, evaluating the operation of controls periodically throughout the reporting period, and making themselves available for questions. Audit committees can contribute by fulfilling their role as part of the corporate governance structure of the organization. 16. I am struggling to understand the carve-out method versus the inclusive method when the service organization outsources some function (e.g., data storage) to a subservice organization. What are the implications of selecting one versus the other? Is one more involved than the other? What if that subservice organization itself obtains its own "clean" SOC 2 report? How does that affect what needs to be in the service organization's system description? Generally, a service organization that outsources one or more of its functions can elect whether or not to include those functions as part of its SOC 2 report. If the organization choses to include those functions, it would follow the inclusive method. The inclusive method requires the service organization to describe the controls performed by the subservice organization, and management of the subservice organization is required to supply a management assertion letter. The subservice organization is covered by the service auditor s report, and controls at the subservice organization are evaluated. On the other hand, if the service organization elected to exclude the subservice organization s functions from its report, it would follow the carve-out method. Under this method, the service organization needs only to refer to the performance of activities by the subservice organization within the description of the system. The subservice organization would not be covered by the service auditor s report, and the service auditor would not evaluate the controls at the subservice organization. 17. Where can we get our hands on some actual SOC 2 reports to see some samples or examples of how different companies approach their system description? Unfortunately, the use of a SOC 2 report is restricted and, therefore, distribution is limited. The AICPA is currently drafting an example SOC 2 report. 18. Why would Processing Integrity ordinarily be covered by a SOC 2 or 3 report, rather than a SOC 1 report? Processing Integrity is one of the five Trust Services Principles covered by SOC 2 and 3 reports, and defined criteria have been established relating to this principle. If a service organization would like to report on controls relating to this principle, a SOC 2 or 3 report is the reporting vehicle to use. Separately, a SOC 1 report covers controls that are likely to be relevant to a user entity s internal controls over financial reporting. Depending on the service organization s offerings, certain criteria or control activities associated with the Processing Integrity principle could also be relevant to a client s internal control over financial reporting and therefore could be incorporated within the control activities evaluated within a SOC 1. However, in this case, the service auditor would not indicate that the Processing Integrity principle had been met; he or she would use the standard SOC 1 opinion language and criteria. Frequently asked questions: SOC 2 and 3 4

19. With the proliferation of cloud reporting and concerns over security, are auditors raising the bar relative to internal controls? With the proliferation of cloud-based systems and the fact that many companies are turning to thirdparties that offer cloud-based solutions, the need for assurance on controls is certainly increasing. We anticipate that user entities will begin to more frequently request SOC 2 reports that focus on the security and availability principles. However, the standards that auditors must comply with relative to these reports are the same as it has been in the past. 20. Who are the intended users of a SOC 2 or 3 report? A SOC 2 report is intended solely for the information and use of the service organization and users of the service organizations system during some or all of the reporting period; and prospective user entities, independent auditors, and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following; (1) the nature of the service provided by the company; (2) how the company s system interacts with user entities, subservice organizations and other parties; (3) internal control and its limitations; (4) complementary user-entity controls and how they interact with related controls at the company to meet the applicable Trust Services Criteria; and (5) the applicable Trust Services Criteria and the risks that they may threaten the achievement of the applicable Trust Services Criteria and how controls address those risks. References to customers within a SOC 2 report are intended to refer to the customers of a service organization. Customers of user organizations that rely upon the service organization for services would also considered customers of the service organization. A SOC 3 report is a general use report and is posted to a service organization s website for accessibility. 21. Are there still concerns about the inappropriate use of SOC 1 reports for controls other than financial reporting? Yes, the need to apply the most relevant attestation standard to the subject matter is still important. Interestingly, the different types of attestation reports that are available can look very much alike, and it is possible for a user organization or auditor to obtain benefit from a variety of attestation reports. The key is for the users of the report to understand it and evaluate what benefits may be derived. 22. Where can the prescribed criteria for each of the Trust Services Principles be obtained? The Trust Services Principles, Criteria, and Illustrations are available through the AICPA website: http://www.cpa2biz.com/ast/main/cpa2biz_primary/accounting/industryspecificguidance/prdovr~pc- 005142/PC-005142.jsp. 23. Are SOC reports applicable to private companies? Yes. A SOC report may be obtained for a private company. Generally, the undertaking of a SOC engagement originates from the desire of management to demonstrate its commitment to a formal control environment and a goal of continual improvement, or to satisfy the requirements of a user organization. Frequently asked questions: SOC 2 and 3 5

24. Can the controls covered by a SOC 2 report be limited to avoid reporting identified exceptions? The controls covered by a SOC 2 report follow prescribed Trust Services Principles and Criteria outlined in TSP Section 100. A service organization may elect to have a SOC 2 engagement covering any or all of the Trust Services Principles, and this decision may be made considering user requests. The service auditor will not typically exclude principles unless the service organization can present a valid case for doing so. For more information, contact a member of our Special Attestation Reports Solution Group: Kirt Seale National and Central Region Leader T 214.561.2367 E kirt.seale@us.gt.com Dennis Bell Northeast Region Leader T 215.376.6030 E dennis.bell@us.gt.com Vincent Concialdi Midwest Region Leader T 312.602.8731 E vincent.concialdi@us.gt.com Brett Williams Southeast Region Leader T 404.475.0015 E brett.williams@us.gt.com Jeff Spivack West Region Leader T 415.365.5434 E jeff.spivack@us.gt.com About Grant Thornton LLP The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at www.grantthornton.com. Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information on the issues discussed, consult a Grant Thornton client service partner. Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd Frequently asked questions: SOC 2 and 3 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information