London, UK: ISACA, a global IT association with 100,000 members in 180 countries, teamed up with the American Institute of CPAs (AICPA) to issue a user guide on Service Organization Control ReportsSM that help evaluate risk, reliability and compliance issues regarding outsourced tasks or functions. The guide, titled SOC 2SM User Guide for Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
To address issues that went beyond the scope of Statement on Auditing Standards No. 70, the AICPA developed Service Organization Control (SOC) Reports (SOC 1SM, SOC 2SM and SOC 3SM reports), based on technical standards of Statement on Standards for Attestation Engagements (SSAE) No. 16 and Trust Services. In May 2011, the AICPA issued Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (SOC 2), which uses AICPA’s Trust Services Principles and Criteria to report on controls at a service organization. The SOC 2 report provides service organizations and users more flexibility related to compliance and operational reporting controls. It addresses risk of IT-enabled systems and privacy programs beyond the controls necessary for financial reporting.
“IT auditors need to fully understand the SOC 2SM report, including the standards and guidelines within, to be able to provide thorough and valuable services. This user guide will help IT professionals gain a much deeper understanding of the report, resulting in better reporting and improved controls,” said Floris Ampe, CISA, CGEIT, CRISC, CIA, ISO 27001, PwC, Belgium, chair of the guide’s development team. “The guide will also be helpful to banks, financial institutions and enterprises that need to comply with HIPAA and the US Gramm-Leach-Bliley Act.”
The SOC 2SM User Guide focuses on the SOC 2 report issued by service organizations relevant to the effectiveness of the design and operation of their controls related to security, availability, processing integrity, confidentiality or privacy. The guide describes service organization reports (SOC 1SM, SOC 2SM and SOC 3SM) and explains:
• The standards used and the scope of a SOC 2SM report
• How to determine the user entity’s needs when obtaining a SOC 2SM report
• How to communicate the user entity’s needs to the service organization
• How to interpret the SOC 2SM report provided by the service organization
“The AICPA issued a guide earlier this year that helps CPAs take full advantage of SOC 2SM engagements,” said Chris Halterman, CPA, executive director at Ernst & Young and chair of the AICPA’s Service Organization Control Reporting Task Force. “This new guide will help users of outsourced services who are evaluating a SOC 2SM report as part of a vendor assessment or other review of controls.”