I’m still waiting for a service organization to write a press release that is:
- replete of the word “certification“
- shows a moderate level of understanding about SOC attestations
- announces that the service organization conducted the right SOC attestation
This morning I was greeted with a press release from First To File ®, announcing that they have “passed” their SSAE 16 audit “for the third year in a row”.
Hmmm. Considering the SSAE 16 standard wasn’t released until 2010 that’s a pretty neat trick! But that isn’t really why I’m writing about this press release. And I really am not trying to pick on First To File ®. Their press release just happens to contain many of the issues I have been trying to address with this blog. Apologies in advance.
It appears to me based on the description of First to File’s® business (patent prosecution support and document management service) that the SOC 1 audit was probably not the right type of SOC review for them to undertake in the first place. One of the primary reasons that the AICPA decided to do away with SAS 70 and create the SOC standards was because SAS 70 was being misused.
The AICPA white paper describing the new SOC standards says it best: “As organizations became increasingly concerned about risks beyond financial reporting, SAS 70 often was misused as a means to obtain assurance regarding compliance and operations.” 1
SOC 1 reports focus “solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements.” 2
So if First to File® is in the business of document management, how do their services have any relevance to a user entity’s financial statements? They are merely storing intellectual property (IP) in a web-based environment for their customers.
The only impact to the financial statements of their customers would be the fees paid by the customer for the services rendered. You might even stretch things and conclude that the value of the IP is at risk since it is being stored and protected by a third party. But that still does not justify the use of a SOC 1 (SSAE 16) report.
Certainly their customers would be interested in knowing what types of controls over the security and confidentiality of that intellectual property First to File® has in place. This is precisely the scenario that the AICPA created the SOC 2 report for.
It is intended for situations where a report is needed about controls at a service organization intended to mitigate risks related to security, availability, processing integrity, confidentiality, or privacy.
Of these, it appears to me at first glance that customers of a company providing document management services would certainly be interested in controls around security, confidentiality, and privacy. Perhaps even availability since it would be important to know that the web-based services would be available when needed.
So why would First to File® decide to ask their auditor for an SSAE 16 report? Because the AICPA and many CPA firms have not sufficiently educated the marketplace regarding the intent and appropriateness of SOC 1 vs SOC 2 vs SOC 3. Which is why I felt compelled to share this blog.
I can’t really blame the marketing and public relations folks that drafted the First to File® press release. If CPAs and other controls experts can’t figure out the new standards, we shouldn’t expect marketing folks to get it. If anyone is at fault, it would be the CPA firm that undertook the engagement.
They should have done a better job of explaining the options and steered the customer away from SOC 1 and toward SOC 2. If after thoroughly understanding the options, the company still elected to have a SOC 1 (SSAE 16) report prepared, then all we can say is “the customer is always right“.
1 Service Organization Controls: Managing Risks by Obtaining a Service Auditor’s Report – AICPA, Nov 2010
Cross-posted from IT Controls Freak