SOC 1 Audit (ISAE 3402 and SSAE 18) and SOC 2 Audit (ISAE 3000 + TSP 100 Trust Principles/Criteria)

Introduction

It is common practice these days for organisations to outsource specific business tasks to third parties (also called “service organisations”). By implication, when tasks are outsourced, part of the organisation’s internal control system is extended to, and falls within the ambit of the service provider (i.e. the service organisation).  In other words, for the organisation to account for sound corporate and IT governance, both the organisation and the service organisation must implement adequate and effective internal control systems.
Moreover, the organisation is still accountable to ensure that the service organisation takes responsibility for their part of the internal control system, primarily for business process and application controls, as well as general IT controls.

The solution

There are two ways in which the organisation achieves this. Let us call it “A”, for the sake of illustration. One option is to engage the organisation’s own auditors to audit the service organisation’s implemented controls (specifically, those controls relevant to the organisation’s own internal control system). We will name the service organisation “B”.
Usually, “B” serves many other clients, too, also demanding to audit “B’s” implemented controls – which are usually remarkably similar across its client base. In order to avoid a stampede of auditors converging simultaneously, “B” obtains an independent annual assurance report to assess and provide an opinion on the design effectiveness (adequacy) as well as the operational effectiveness of the internal control systems that “B” has provided its clients. The reason service organisations like “B” opt to make use of an independent auditing service relates to the strain on its time and resources.

There are three types of independent assurance reports that can be obtained: SOC 1, SOC 2, and/or SOC 3. SOC is the acronym for “Service Organisation Control”. Futura International, in association with partner audit firms, provides SOC 1 and SOC 2 audits to clients.

SOC 1

SOC 1 is specific to financial reporting.

The audit addresses the service organisation’s (“B’s”) internal control system that is most likely relevant to “A’s” internal control over financial reporting and also expresses an opinion on the design effectiveness (adequacy) as well as the operational effectiveness of the internal control systems that “B” has implemented to provide services to “A”. The audit basically covers business process and application controls as well as general IT controls, where relevant to “A’s” internal control over financial reporting.
“A’s” (also called the “user entity”) external auditors rely on the SOC 1 report, provided to by the service organisation’s auditor, known as the “service auditor”. It is acknowledged and accepted that the service organisation’s internal control system and that of its user entity, form a part of one another, thus, ensuring complete, accurate and valid transactional data processes and financial reports are generated.
 
In countries outside the USA, the audit standard currently in use to conduct the SOC 1 audit (independent assurance) falls under the “International Standard on Assurance Engagements” (ISAE), specifically the ISAE 3402: Assurance reports on controls at a service organisation. The standard has been issued by the International Auditing and Assurance Standards Board (IAASB).

SOC 2

SOC 2 covers security, availability, processing integrity, confidentiality and privacy controls.

This particular audit is conducted under the standard belonging to AICPA (American Institute of Certified Public Accountants), and is referred to as “trust services criteria for security, availability, processing integrity, confidentiality and privacy”, as set forth in the TSP section 100, 2017 (updated March 2020), and established by the AICPA’s Assurance Services Executive Committee (ASEC). The SOC 2 also covers some COSO (The Committee of Sponsoring Organisations of the Treadway Commission) “points of focus”, in addition to the trust services criteria. 

These points of focus represent important characteristics of the trust services criteria, assisting management when designing, implementing, and operating controls over security, availability, processing integrity, confidentiality, and privacy.
To obtain a SOC 2 report, a service organisation has the option to choose from five principles – the management of the organisation may choose to be audited on all five principles or just one, two, three or four principles, namely the:
  • Security principle addresses all logical and physical security controls.
  • Availability principle covers all data and system controls ensuring the availability of data and systems to legitimate users (e.g. backups, data replication and disaster recovery controls).
  • Confidentiality principle is all about controls related to the protection of the user entity’s (“A’s”) intellectual property information (handled by the service organisation).
  • Privacy principle, unlike the confidentiality principle, relates to the controls ensuring the protection of a private individual’s personal data.
  • Processing integrity principle addresses the service organisation’s business process and application controls, ensuring data integrity (i.e. the completeness, accuracy and validity of processed data).

In countries outside the USA, the audit standard being used to conduct the SOC 2 audit (independent assurance) is the “International Standard on Assurance Engagements (ISAE)” – which is the ISAE 3000: “Assurance Engagements Other Than Audits or Reviews of Historical Financial Information”. This standard has been issued by the International Auditing and Assurance Standards Board (IAASB).

Type I and Type II reports

SOC 1 and SOC 2 reports could be further sub-divided into a Type I or a Type II report.
The more valuable of the two, is the Type II report. The Type I report only covers the design effectiveness (adequacy) of the service organisation’s internal control system, whilst the Type II report covers both the design effectiveness (adequacy) and operational effectiveness of the service organisation’s internal control system. Simply put, by focusing on design effectiveness (Type I), the auditor evaluates the existence of controls, but, the auditor does not report on the operational effectiveness of the system. 
The Type II audit entails auditing operational effectiveness – and, where needed, the processes are sampled for testing. The Type I report is subject to a very limited time constraint, while the Type II report covers a specific period (normally 12 months, but it could also cover a period less than 12 months). The Type I audit is normally conducted first, so as to alert the service organisation to any deficiencies in the design of their controls. However, even if the service organisation is confident that the design of their controls is adequate, and that these controls are operating effectively (and there were no control breakdowns), the auditor and the management of the service organisation have the option available to commission a Type II report. 
Nevertheless, it is also possible to replace the Type I report with a less expensive readiness assessment, if the service organisation remains unsure about the adequacy (design) of their controls.

Once the gaps have been sorted out, and the controls have matured on the operational level, the service organisation might override the need for the Type I audit and may opt, instead, to immediately obtain the Type II report.

Benefits to the service organisation

It goes without saying that obtaining a SOC report benefits the service organisation. The obvious benefit reduces the continuous need to accommodate their clients’ auditing teams. By opting for a SOC report, the service organisation is audited once annually, by one auditor alone.
The SOC report is regarded as a valued “sign of excellence” (bragging rights, if you like). The acquisition helps the service organisation attract new clients by being in possession of an annual SOC audit report. It is perceived that the chosen services organisation (“B”) places a high premium on its client’s (“A’s”) design and operational efficiency, and, thus, the client perceives itself to be in “safe hands”.