Data Security in the Cloud: SOC Reports for Service Organizations

SOC 1® – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR)

Prepared under SSAE 18 section AT-C 320, these reports are specifically intended to meet the needs of entities that use service organizations and the CPAs that audit the user entities’ financial statements. The use of these reports is restricted to the service organization’s management, user entities, and auditors.

There are two types of reports for SOC 1 engagements, Type 1 and Type 2. While both types report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description, a Type 1 report is as of a specified date (single point in time). In contrast, a Type 2 report is throughout a specified period (usually a 6-12 month period).

Many organizations will start with a SOC 1 Type 1 report before obtaining their SOC 1 Type 2 report. Armed with the results of the Type 1, these organizations are better equipped to create a remediation plan that would ensure a favorable Type 2 report.

When does it make sense for you to ask your technology provider for a copy of their SOC 1 report?

If your technology provider is hosting financial information that could affect financial reporting, I strongly recommend requesting a copy of that provider’s SOC 1 report.

SOC 2® – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (Trust Services Criteria)

Prepared under SSAE 18 sections AT-C 105 and 205, these reports provide information about the security of controls, and optionally also the availability, confidentiality, privacy and processing integrity of the systems used to process users’ data.

Management of an entity also may use the TSC to evaluate the suitability of design and operating effectiveness of such controls. As a result, these reports can play an important role in the organizational oversight, provider management programs, internal corporate governance and risk management processes, and regulatory oversight. Generally, only parties with an understanding of the service organization and its controls may use these reports.

SOC 2 reports types are similar to SOC 1. There are two types of reports, Type 1 and Type 2. A Type 1 report is as of a specified date (single point in time), whereas a Type 2 report is throughout a specified period (usually a 6-12 month period). SOC 2 reports focus on the suitability of management’s description of a service organization’s system and the design of controls utilizing the TSC.

As with SOC 1 reports, many organizations will start with a SOC 2 Type 1 report and use the results of that report to create a remediation plan that would ensure a favorable Type 2 report.

When does it make sense for you to ask your technology provider for a copy of their SOC 2 report?

If that provider is hosting non-financial information, you want to ensure that they are securely handling your data and that your data will be available to you in the manner that it was contractually written to be available to you, I strongly recommend requesting a copy of that provider’s SOC 2 report.

SOC for Cybersecurity

Prepared under SSAE 18 sections AT-C 105 and 205, SOC for Cybersecurity is a cybersecurity risk management examination introduced by the AICPA in April of 2017. This report is designed to provide general users with useful information about an entity’s cybersecurity risk management program for making informed decisions.

This report is intended for a broad range of users whose decisions might be affected by the effectiveness of the entity’s cybersecurity risk management program, including management, directors, and other stakeholders.

SOC for Cybersecurity reports types are similar to both SOC 1 and 2 reports. There are two types of reports, Type 1 and Type 2. A Type 1 report is as of a specified date (single point in time), whereas a Type 2 report is throughout a specified period (usually a 6-12 month period). SOC for Cybersecurity reports focuses on the effectiveness of controls within the entity’s cybersecurity risk management program to achieve the entity’s cybersecurity objectives based on the control criteria.

And as with SOC 1 and 2 reports, many organizations will start with a SOC for Cybersecurity Type 1 report and use the results of that report to create a remediation plan that would ensure a favorable Type 2 report.

The SOC 2 and SOC for Cybersecurity report contents are structured similarly. However, there are a few key differences. While both report components are related to the service organization’s system and effectiveness of controls, a SOC 2 report relates to the Trust Services Criteria. In contrast, SOC for Cybersecurity reports on the entity’s cybersecurity risk management program.

Because a SOC for cybersecurity report is considered appropriate for general use, it will not be as detailed as a SOC 2 report. For example, a SOC for cybersecurity report does not contain a detailed description of the controls tested by the auditor, the test procedures, or the results of the test procedures.

The AICPA has an excellent resource center devoted to SOC for Cybersecurity reporting.

When does it make sense for you to ask your technology provider for a copy of their SOC for Cybersecurity report?

If you have concerns or would like assurance regarding the nature of your technology providers’ plans to keep your data safe – or if your technology provider has a history of data breaches, I strongly recommend requesting to review their SOC for Cybersecurity report.

SOC 3® – Trust Services Criteria for General Use Report

Not all users have the need for or knowledge necessary to make use of a SOC 2 report. Those users have the SOC 3 report.

Prepared under SSAE 18 sections AT-C 105 and 205, SOC 3 reports provide assurance about the controls at a service organization that affects the security, availability, and processing integrity of the systems used by a service organization to process users’ information. It also provides assurance about the confidentiality or privacy of that information.

Unlike SOC 1 and SOC 2 reports, which have a restricted distribution, SOC 3 reports are for general use, designed to be relevant to current and prospective customers. Some technology providers will use SOC 3 reports as a marketing tool to demonstrate that they have appropriate controls in place to mitigate risks related to security, privacy, etc.

And while the same standard governs SOC 2 and SOC 3 reports – AT-C 105 and 205 – unlike a SOC 2 report, a SOC 3 report will only ever be a Type 2 report. Therefore, a SOC 3 report will always report on the suitability of management’s description of a service organization’s system and the design and operating effectiveness of controls throughout a specified period.

Due to its general use nature, a SOC 3 report does not contain a detailed description of the controls tested by the auditor, the test procedures, or the results of the test procedures.

When does it make sense for you to ask your technology provider for a copy of their SOC 3 report?

Because a SOC 3 report is a general use report, it can be freely distributed, and as mentioned above, some technology providers will use these reports as a marketing tool. If you are considering several different technology providers, their SOC 3 report may be a good place to start your research, especially if it’s available on their website.

Data Security in the Cloud Matters

It doesn’t matter where your firm is on the technology adoption curve – cloud technology is an integral part of the future of a successful, thriving accounting firm. And as your firm invests in cloud technologies that support firm growth, partners and managers need to understand how their technology providers protect firm and client data, including when and what type of SOC report to request.

SOC reporting is no longer a topic that only SOC Auditors need to understand – CPA firm managers and partners need to have a strong understanding of the security of the operating environment, application controls, data privacy and data security.

Consider whether the solutions and services your firm uses in its day-to-day operations adequately protect firm and client data. While your technology provider is in charge of the security of controls, availability, confidentiality, privacy and processing integrity of the systems that house your data, at the end of the day, it’s the partners who are usually responsible if controls over outsourced functions – including data warehousing – fail.