The IT industry is filled with many different standards and compliance regulations, and it can sometimes be difficult for leaders to keep up with everything they need to know about these requirements. In fact, a recent study conducted by Peak 10 showed that healthcare IT professionals considered keeping up with new regulations and understanding how different regulations and standards affect their business as two of their biggest challenges.
At Peak 10, we’re frequently asked about the SSAE 16 standards (Statement on Standards for Attestation Engagements) and the SOC 1, SOC 2 and SOC 3 (Service Organization Control) reports. These reports are often required by publicly traded companies due to the Sarbanes-Oxley Act of 2002. The act was mandated to enhance corporate responsibilities and combat corporate and accounting fraud. SSAE 16 standards and SOC reports ensure that such companies’ vendors are up to date with the latest international organization reporting standards. I sat down with David Kidd, Peak 10’s vice president of governance, risk and compliance, to get a better understanding of this topic.
Where did the SSAE 16 standard originate, and how did we get to where we are today?
The AICPA (American Institute of Certified Public Accountants) sets auditing standards for attestation engagements. An attestation engagement is simply when an independent auditor issues a report that provides assurance for information that is the responsibility of another party. Up until 2011, the AICPA relied on the SAS 70 standard, which evaluated service organizations and how their activities affected the financial reporting of their clients. It was very popular and was used to examine a wide variety of different service organizations. In fact, the standard ended up getting used too broadly, to the point where it started to lose the focus desired by the AICPA.
At that point, the AICPA decided it needed an updated standard that would better reflect the standards in use outside of North America. As a result, the organization replaced SAS 70 with the Statement on Standards for Attestation Engagements (SSAE) No. 16 in 2011. The SSAE 16 standard is designed to be more closely aligned with the ISAE3402 international standard.
What are the SOC 1, SOC 2, and SOC 3 reports?
Service Organization Control (SOC) reports are auditing reports that are issued in compliance with the SSAE16 standard. The three types of SOC reports differ based on what they cover, how the auditor performs the assessment, and what level of detail the reports include.
During an audit that produces a SOC 1 report, the organization being audited (the service provider) defines the objectives that are important to its business, and the controls it follows to achieve those objectives. Due to the nature of self-defined objectives, this is a very flexible standard, and can be customized to each service provider.
SOC 2 reports differ from SOC 1 reports in that while the organization selects the principles that are relevant to its business, the actual controls and testing is standard across all service providers. SOC 2 reports are based on five trust principles: security, availability, processing integrity, confidentiality, and privacy. These principles mean that SOC 2 reports are very important for IT organizations.
SOC 1 and SOC 2 reports are meant to be confidential, limited-use documents for the service provider and its customers, but they were often distributed publicly instead. In order to meet demand for a public-facing auditing report, the AICPA decided to introduce a new report: SOC 3. This new report is designed to attest that the service provider has successfully completed a SOC 2 assessment, while only including information that would be relevant to public parties. SOC 3 reports cover the same trust principles covered by the SOC 2 report, but are different because they can be distributed to public audiences.
I’ve also heard about Type 1 and Type 2 SOC reports. What do these mean?
A Type 1 SOC assessment looks at a service provider at the specific moment the assessment is performed. Auditors look at the provider’s current operations and controls, and do not account for any historical processes. On the other hand, a Type 2 assessment looks at controls that are in place today and have been functional for at least six months prior to the audit date. Clearly, this makes the
Type 2 assessment the more rigorous of the two options.
Who are SOC reports most relevant to?
The SSAE16 standard and SOC reports affect any company that issues financial statements; in short, this means they are relevant to companies of all sizes, across all industries. The SOC 1 report is especially relevant for publicly traded companies. When the Sarbanes Oxley regulation came out, it held publicly traded companies to a higher standard for their operational activities. This created a trickledown effect, requiring these companies to increase the level of control they exercised over their service providers.
SOC 2 and SOC 3 reports are specifically targeted towards information security and information system availability, meaning that they are relevant to any IT organization. Most of the principles covered in these reports are very closely related to an IT service provider’s core business. Therefore, IT leaders should always ask for a SOC 2 or SOC 3 report in order to confirm that the service provider passed the SOC 2 report evaluation.
How are service providers evaluated for these reports?
SOC 1-3 reports are prepared by qualified independent auditors. The auditors will first go through a rigorous process of collecting documentation on the service provider’s processes and operations. Then, they will physically inspect all of the service provider’s data centers and central operations. The full process can take months to complete depending upon the scope of the assessment.
What are the key questions an IT leader should ask his or her prospective service providers to ensure that they operate under the highest standards covered by SSAE 16 and SOC reports?
When speaking to service providers, an IT leader should always understand what auditing procedures they follow. Since SOC 1 and SOC 2 reports are generally held private, a service provider may ask a customer to sign an NDA before agreeing to share the reports. Asking a service provider to produce a SOC 3 report helps confirm that it has passed its audits successfully, and since these reports are publically available, the service provider will generally have no problem sharing them.
What is Peak 10’s Approach to SOC reporting?
Peak 10 works with BrightLine CPA & Associates, an independent third-party auditor, to produce its SOC reports. For SOC 1 reports, we define our objectives as physical security, infrastructure and change management, network and cloud hosting operations, logical security, support organization, and provisioning. For SOC 2 and SOC 3 reports, we are assessed for security and availability, which are among the core principles of our business. The other principles do not apply to our business, because we only provide data infrastructure, and do not actually process data for our customers. Peak 10 also chooses to perform the more rigorous Type 2 report, and includes 12 months of history instead of the minimum of six. In addition, Peak 10 updates its SOC reports every year, meaning that there are never any gaps between reports. We insist on providing our customers with this level of SOC compliance in order to show them that we are serious about protecting them and their data.