By: Mitchell H.Levine.CISA
Audit Serve, Inc.
It has been three years since SSAE 16 SOC 1 reviews replaced the SAS 70 audits and the AT 101 SOC 2 & SOC 3 reviews replaced the SysTrust audits. Although the main enhancement of the SOC 1 audits was to require a Service Organization’s to provide Service Auditor’s an assertion letter that attests to the accuracy of management's description of the service organization's system and (2) that the control objectives were suitably designed, the SOC 1 reports have proven to be of great value to ensure that only SOC 1 reports are issued if the Service Organization “truly” has an impact to the User organization’s financial statements and the controls included in the SOC 1 report only relate to the controls needed to ensure the accuracy of financial statements.
The rest of the controls were intended to find a “resting place” within SOC 2 and SOC 3 reviews. The SysTrust engagement scope which was replaced by the SOC 2 & 3 engagements covered three Trust Service Principles which included Availability, Security and Integrity.
The SOC 2 & 3 engagements include the following Trust Service Principles:
SOC 2 was put in place to assurance over non-financial controls. However, these non-financial controls are critical to user organizations when assessing which vendor to place their business operations or outsourced operations. Wouldn’t a user organization want an independent review to ensure that the service organization has controls in place to (1) recover from a system failure, (2) prevent a data security breach or (3) ensure that the job scheduling system processes the batch work correctly? Without a SOC 2 review, a user organization will not have an independent review to provide this opinion.
User organizations have been focused on only demanding service organizations to provide SOC 1 reports. It is important that the requirement for service organizations to provide SOC 2 report be given the same level of attention. Unfortunately, service organizations rarely produce SOC 2 reports because they have not been mandated by user organizations.
The biggest issue with the SOC 2 reviews is the manner in which the controls are written. Most of the controls are written to only ensure that a procedure exists to establish key control processes. For instance only the need to have a procedure to develop an incident response plan is required not that an adequate incident response plan has been established. Although AICPA has provided guidance to ensure that these critical processes are evaluated to ensure they exist the industry has been slow to react. Therefore, the User Auditors and user Organization should conduct their own review of the SOC 2 reports they receive to ensure it is not just a review comprised of repository of procedures. In addition, as the case with SOC 1 reviews, the Service Auditor and Vendor Management reviews should ensure that there is not abuse of “carve-outs” for key sub-service providers which have an impact on the key controls.