A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance (and soon to be SSAE 18).
Please see the following articles discussing the SSAE 16 guidance and additional information related to the SOC 1 (Type I and Type II) Reports:
In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance and will be discussed in further detail in the future.
TheSOC 3 Report , just like SOC 2, is based upon the Trust Service Principles and performed under AT101, the difference being that a SOC 3 Report can be freely distributed (general use) and only reports on if the entity has achieved the Trust Services criteria or not (no description of tests and results or opinion on description of the system). The lack of a detailed report requires that a SOC 3 be performed as a Type II, unlike SOC 1 and SOC 2 where there is a Type I option. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy) and allow the organization to place a seal on their website upon successful completion.
The Trust Service Principles were designed with a focus on e-commerce systems due to the amount of private/confidential/financial information that flows across the internet daily. When a customer processes a transaction (online retailer), builds a business on your service (SaaS providers), or submits private information, they want to know best practices are being followed by the company to guard against security leaks, lost sales, and damaged data. The most common reports based upon the trust principles are referred to as WebTrust and SysTrust.
The SysTrust review encompasses a combination of the following principles:
Security: The system is protected against unauthorized access (both physical and logical).
Availability: The system is available for operation and use as committed or agreed.
Processing Integrity: System processing is complete, accurate, timely, and authorized.
Confidentiality: Information designated as confidential is protected as committed or agreed.
The WebTrust certification can fall into the following four categories:
WebTrust. The scope of the engagement includes any combination of the trust principles and criteria .
WebTrust Online Privacy. The scope of the engagement is based upon the online privacy principle and criteria.
WebTrust Consumer Protection. The scope of the engagement is based upon the processing integrity and relevant online privacy principles and criteria.
WebTrust for Certification Authorities. The scope of the engagement is based upon specific principles and related criteria unique to certification authorities.
A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70 (or SSAE 16), complete with a Type I and Type II reports, but falls under the SSAE 18 guidance (as of May 1, 2017). Please see the following articles discussing the SSAE 18 guidance and additional information related to the SOC 1 (Type I and Type II) Reports:
Below is a history of key changes made to the audit standard over time to enhance the overall audit and final report.
Differences between SAS 70, SSAE 16 and ISAE 3042:
Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:
The fairness of the presentation of the description of the service organization’s system;
The suitability of the design of the controls to achieve the related control objectives stated in the description; and
The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)
During the process of understanding the service organization’s system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.
SSAE 18 adds an additional set of requirements to further enhance SSAE 16 standard:
Requires the inclusion of a Complementary Subservice Organization Controls section (similar to what is currently required for SOC 2).
Requires the performance of a detailed Risk Assessment based on the control objectives defined in the report.
Remember: Although the reporting standard is soon to be, SSAE 18, the SSAE 16 and ISAE 3204, are all still considered to be a SOC 1 Report!
The latest changes are meant to give the end user a clearer picture of their vendor’s subservice organizations and the responsibilities of the end user as well (Complementary User Entity Controls), which, will help to provide an all around higher level of assurance and understanding to all involved.
In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance.
SOC 2 Report – Trust Services Principles – The Service Organization Control (SOC) 2 Report will be performed in accordance with AT 101 and based upon the Trust Services Principles, with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls (just like SOC 1 / SSAE 18)….read more
SOC 3 Report – WebTrust and SysTrust – The SOC 3 Report is also based upon the Trust Service Principles and performed under AT101, the difference being that a SOC 3 Report is permitted to be freely distributed (general use) and only reports on if the entity has achieved the Trust Services criteria or not (no description of tests and results or opinion on description of the system)….read more
The software publishing industry has experienced significant growth in the past 5 years and projected to continue at a significant pace (2%-5%) as businesses and consumers increase spending and invest in new technology.
Businesses account for almost 82% of all software related spending with Finance and Insurance leading the pack. Many of the new enterprise software solutions produced now include a SaaS offering (sometimes the sole option), intended to reduce IT overhead / infrastructure compatibility issues and allow more flexible licensing options.
SaaS solutions let a business leave the development and maintenance to the experts and focus on enhancing operations and securing new business. However, these benefits bring additional compliance concerns that software developers and even the end users must concern themselves with as increased oversight and growing demand for industry regulations continue.
Users of SaaS Products in the Enterprise
Businesses are making use of SaaS applications more than ever, but, trusting operations and confidential data with another company can be nerve racking. However, use can also relieve a number of headaches that come with upgrading to the latest software or even worse, developing internally.
Reduce the need to hire expensive IT personnel to develop and maintain the software and infrastructure
Your developer isn’t the only one with knowledge, so, they cannot hold you hostage!
Prevent costly failed development attempts (knowing the business and ability to develop software don’t always align as well as hoped)
Reduce IT infrastructure costs (no need to add servers or face compatibility issues)
Easier to switch solutions if a better one is available (no infrastructure!)
Reduction in compliance issues as controls would be the responsibility of the SaaS provider.
Reliance upon another company for business operations and hosting of confidential data.
Unable to customize software to business operations as much as an internally developed solutions.
Cannot guarantee bug fixes and security vulnerabilities are addressed timely.
So how do you know the application provider is performing their duties appropriately in a controlled, stable, and secured environment? This concern is what SOC 1 (SSAE 16) and SOC 2 seek to address.
SaaS Developers / Providers
Operating a third party hosted solution brings additional responsibility that a software developer didn’t have to be concerned with in the past. SaaS providers must be dependable – keeping the system online, functional and secure for your customers that depend on it. To obtain this assurance, many companies require proof that your business has proper controls in place and reviewed by a third party accounting firm. Controls for these services usually are designed based on a combination of security, confidentiality, availability, processing integrity and privacy principles. The appropriate combination will depend upon the product/service offered, level of data confidentiality required, and any customer specific requirements/requests.
Whether you develop software solutions for health care, finance, government or other industry, it is common to see a SOC 1 or SOC 2 as a prerequisite in RFPs. The SOC 2 report is typically the most appropriate for a SaaS solution, but, a SOC 1 (SSAE 16 – now SSAE 18 as of May 1, 2017) is the most requested (although not always the most relevant). The cost for an audit can vary greatly depending on the number of controls, size of the company, and complexity of the IT infrastructure.
From insider scandals to outside threats, the protection of corporate and personal information is the corner stone of information security compliance. Obtaining a current SOC 1 (SSAE 16/18) or SOC 2 audit report can be a significant differentiator within your industry and provide value to new and current customers.
Contact Skoda Minotti
Please complete the form below to contact Skoda Minotti for additional information and note any relevant information that may help us fulfill your request.