SOC 2 Reports Replaced SAS 70 for Security and Availability in 2011 - This is 2013.

The market is making progress towards correcting the notion that SAS 70 or SSAE 16 provide assurance regarding security, but last week I came across a service organization's publication that included the following statement:


What is the difference between SSAE16 SOC-1 and SOC-2?

SOC 2 reports will contain the same report elements as SOC 1 reports but will be prepared in accordance with the AT Section 101 attest standard rather than the SSAE16 standard. Furthermore, the control objectives in a SOC 2 report will be based on the AICPA and CICA’s Trust Service Principles and Criteria, previously used by the WebTrust and SysTrust certifications. Like SOC 1 reports, SOC 2 reports are available in a Type 1 and a Type 2 report. [We are] evaluating SOC-2 reports but [are] not currently actively engaged in SOC 2 audits.

Stop here for a minute and think about the issues in this paragraph.

SOC 2 reports will contain...
SOC 2 is placed into a "future" category instead of something that should have already been implemented.  We are, after all, approaching two years since the AICPA prohibited the inclusion of non-ICFR controls in SOC 1 reports to curb the misuse of SAS 70 as a report that provided assurance regarding security.  SOC 2 reports replaced SAS 70 for security and availability in 2011.

SOC 2 reports will contain the same report elements as SOC 1 reports but will be prepared in accordance with the AT Section 101 attest standard rather than the SSAE16 standard.
Although technically correct because SOC 2 includes the same report format (elements) as a SOC 1 report, the sentence infers that the content of SOC 2 and SOC 1 are essentially the same to the uniformed reader.

Furthermore, the control objectives in a SOC 2 report will be based on the AICPA and CICA’s Trust Service Principles and Criteria, previously used by the WebTrust and SysTrust certifications.
The sentence again uses future context, and also makes sure to include a reference to WebTrust and SysTrust to associate SOC 2 with the reports ignored in large part by the market.  SOC 2 is the AICPA's second attempt at getting people to take non-ICFR controls out of reports that are focused on supporting financial statement assertions.

[We are] evaluating SOC-2 reports but [are] not currently actively engaged in SOC 2 audits.
Translation: "We are waiting to see if the market will really require us to undergo one of these engagements that cost more, and require greater scrutiny of our internal controls as they relate to security and availability."

Customers need to demand risk assurance pertaining to security and availability from their vendors.  The proper report for this type of assurance is a SOC 2 report.  If your vendor is asking you to be content with a SOC 1 (SSAE 16) report that the AICPA and Gartner have made abundantly clear does not provide that assurance, then red flags should go up about that vendor.

3 comments:

  1. Lots of mis-information out there. There is a real need to educate the service organization community BEFORE they are notified of non-compliance or worse.

    ReplyDelete
  2. Excellent synopsis. I frequently find the SOC2 and SOC3 reports misrepresented. It appears that vendors are capitalizing on this confusion and flexing a muscle that downplays the need for SOC2/SOC3. It becomes a continual risk tolerance discussion and eventual argument.

    ReplyDelete