In mid-2011, the American Institute of Certified Public Accountants (AICPA) established a Service Organization Controls (SOC) reporting framework in hopes of providing the public and CPAs with a clearer understanding of the reporting options for service organizations.
Additionally, the AICPA sought to reduce the risk of misuse of SSAE 16, which recently superseded SAS 70, as a mechanism for reporting on security, compliance, and operational controls.
To achieve these goals, the AICPA released the following reporting framework:
- SOC 1: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (also known as SSAE 16)
- SOC 2: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
- SOC 3: SysTrust for Service Organizations
Of the three, SOC 2 is the only new type of examination. Despite being new, customers are already expecting, if not requiring, providers to undergo SOC 2 examinations. In many cases, these expectations are on top of existing SOC 1 (SSAE 16) obligations.
To fully appreciate SOC 2, one would need to read the 150-paged professional guide on the topic.
Realizing that is not feasible for most cloud providers, I have prepared the following ten points to give cloud computing providers and their customers a conversational understanding of SOC 2:
- SOC 2 examinations are designed to provide organizations that outsource the operation, collection, processing, transmission, storage, organization, maintenance and/or disposal of their information to third parties a mechanism for assessing governance and oversight at those service providers. Unlike SOC 1 (SSAE 16), the focus is on controls related to security, compliance, and operations, rather than controls relevant to financial reporting.
- SOC 2 reports allow cloud providers to communicate information about their services and the suitability of the design and operating effectiveness of their controls to prospective and existing customers in a well-known format that is nearly identical to an SSAE 16 report.
- SOC 2 examinations report on controls that mitigate the risks of achieving the following “Trust Services” principles:
- Security - The system is protected against unauthorized physical and logical access.
- Availability - The system is available for operation and use as committed or agreed.
- Processing Integrity - System processing is complete, accurate, timely, and authorized.
- Confidentiality - Information designated as confidential is protected as committed or agreed.
- Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants (CICA).
- All five Trust Services principles are not required to be assessed. Cloud providers may select the Trust Services principle(s) that best meet their reporting objectives. This decision is based on the relevance of each principle to their services, as well as the interests of their customers.
- When selecting a Trust Services principle, the cloud provider essentially asserts compliance with the principle and its underlying “criteria”. Before selecting a principle, it is absolutely critical that cloud providers review the principles and underlying criteria to confirm an ability to meet the criteria. It is worth noting that, of the five Trust Services principles, the Privacy principle is particularly involved and should be selected with due care.
- There are two types of SOC 2 examinations known as “type 1” and “type 2”. Both types of reports contain an auditor’s opinion letter, management’s assertion, as well as a system description prepared by management that describes the controls implemented to meet the criteria, among other topics. For a type 1 examination, the auditor opines on whether management has fairly described its system and whether its controls are suitability designed to meet the applicable Trust Services criteria as of a point in time. Type 2 examinations report on those same topics, but the auditor also tests the controls and opines on the operating effectiveness of those controls during a specified review period (normally 6 – 12 months in duration). Type 2 reports are the most prevalent of the two report types.
- There are no bright line rules defining the specific controls that must be implemented in order to meet the criteria of selected principles. For example, criterion 3.4 of the security principle states: “Procedures exist to protect against unauthorized access to system resources.” The criteria provide several illustrative controls that could be used to meet the criterion, including the use of VPNs, firewalls and intrusion detection systems. However, none of the illustrative controls are required. Cloud providers have full discretion to present their own internal controls without issue so long as those controls meet the criteria for the selected Trust Services principles.
- The scope of a SOC 2 examination can be modified based on the services provided. For example, otherwise applicable Trust Services criterion may be omitted if they are not applicable to the service that is the subject of the engagement. Similarly, the scope of a SOC 2 examination can be expanded to report on topics not specifically covered by the SOC 2 guidance. This gives cloud providers the ability to request that the auditor also report on compliance with other frameworks, such as the security requirements of HIPAA or the Cloud Security Alliance (CSA) Cloud Controls Matrix within a single SOC 2 report.
- SOC 2 is not a certification; however, service organizations that complete a SOC 2 examination are entitled to display the AICPA’s service organization logo on their promotional material and website for 12 months following the date of the report. Unlike SOC 3 (SysTrust), there is no licensing fee to use the logo, but its use is contingent on compliance with the terms, conditions and guidelines set forth by the AICPA.
- Although SOC 2 is very similar in form to SOC 1 (SSAE 16), the two have distinctly different purposes and one cannot be used as substitutes for the other. Furthermore, it is entirely possible that a cloud provider would have a valid need for a SOC 1 and a SOC 2 examination depending on the nature of its services.
For those seeking additional information on this topic, the AICPA has created a dedicated site for SOC reporting topics, found here.
The detailed list of criteria for the security, availability, processing integrity and confidentiality principles are found here. The detailed criteria for the privacy principle are found here. The official AICPA SOC 2 guide is available for purchase here.
Chris Schellman is the President of BrightLine, the only company in the world accredited as a CPA firm, PCI QSA Company, and ISO 27001 Registrar. He is a licensed CPA, CISSP and PCI QSA, and has contributed to nearly 1,000 SSAE 16 / SAS 70 examinations.