Transparency of your internal controls through the ‘Service Organization Control Report':
a major competitive advantage
By Piet-Hein Prince and Maxime Brière, Ernst & Young, Luxembourg
For IT service providers in Luxembourg and abroad, the consideration over their internal set of controls is a significant market advantage but often considered a challenge to demonstrate externally. The American Institute of Certified Public Accountants (AICPA) has now presented a new opportunity for service organizations (or service providers) to demonstrate the investments they have made to lead their company past its competitors. This opportunity presents itself as new standards replacing the SAS70, falling under the umbrella term “Service Organization Control (SOC) Reports”.
In this article we will elaborate on the content and added value of the 3 different SOC reports and especially on the SOC2 report, which is the most significant addition for IT service providers.
What is SOC Reporting?
Management and governance officers are responsible to identify and assess risks to the entity and address them through effective internal control. When an entity outsources tasks to a service organization and becomes a user entity, it replaces many of the risks associated with performing those tasks with risks associated to outsourcing. Although a task may be outsourced, management of the user entity retains the overall responsibility and needs to monitor the service organization. The dependency on outsourced controls is one of the motivations of service providers to provide a SOC report.
The objective of the AICPA is to help service providers in selecting the appropriate report to address their controls and help meet specific service organization and user entity needs.
- SOC1 report. Intended for entities that use service organizations and their auditors. It is targeted at controls over the financial statements. SOC1 engagements are performed mainly under “Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization” and the “International Standard on Assurance Engagements No. 3402, Assurance Reports on Controls at a Service Organization”.
- SOC2 report. Intended for a broad range of users who require information and assurance about controls at a service organization that affect security, availability, processing integrity, confidentiality or privacy of the information processed by these systems. SOC2 engagements are performed under Attest Engagements (AICPA, Professional Standards AT section 101), and the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
- SOC3 report. Designed for a wider range of users who need assurance about controls at a service organization that affect security, availability, processing integrity, confidentiality or privacy of the information processed by these systems, but do not have the need for a SOC2 report. The criteria for evaluating the controls are the Trust Service Principals that are relevant to the principle being reported on (the same criteria as in a SOC2 report).
SOC2: a tool for IT service providers and data centers
The SOC2 report will provide to the different parties an independent opinion about controls at the service organization relevant to any combination of the following criteria:
Security: The system is protected against unauthorized access;
Availability: The system is available for operation and use as committed or agreed;
Processing integrity: System processing is complete, accurate, timely, and authorized;
Confidentiality: Information designated as confidential is protected as committed or agreed;
Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles.
The report structure will include the same focus on Trust controls as the SOC3 but provide a better detailed description of the service organization’s system and the results of the tests by the auditor.
An example of the value of the SOC2 is the IT service providers moving towards a cloud computing offering, now have a tool to help demonstrate the reduced risks regarding privacy aspects. This is reflected through the Global information Security Survey, performed by Ernst & Young in 2010, which indicated that more than 75% of financial institutions in Luxembourg not using a cloud solution today would consider moving to such a solution, if the cloud computing provider was certified with regards to the privacy criteria.
Other examples of providers gaining from this report are managed security and enterprise IT outsourcing services, financial services customer accounting, customer support for post sales support, service management or even health care claims management and processing.
And as IT service providers and data centers can now obtain an independent examination report of their internal controls directly linked to the services provided, these reports could play an important role in vendor management programs, internal corporate governance and risk management processes or even regulatory compliance.
An independent examination of non-financial controls, a broader range of distribution, an increased trust with current or potential service users through transparency of the control activities are arguably the main factors why the SOC2 is bound to present itself as an essential tool for IT service providers, especially in Luxembourg. And as this new standard comes to the forefront of the commercial trust relationship in Luxembourg, very soon, clients of service providers will be asking for it.
By Piet-Hein Prince, CISA, Senior Manager, IT Risk and Assurance Ernst & Young Business Advisory Services
and Maxime Brière, CISA, CRISC Manager, IT Risk and Assurance Ernst & Young Business Advisory Services