For those or you who do not know, we will start explaining what are SOC 2 reports (sucessors to the famous SAS 70 reports). To begin with, SOC means Service Organization Controls and there are three types of them:
- SOC 1 -Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting.
- SOC 2 y SOC 3 - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy in accordance with AICPA Trust Services Principles Criteria.
The difference between SOC 2 and SOC 3 reports is that, while the former includes a detailed understanding of the design of controls at service organization and tests performed by the service auditor to support his/her conclusions on the operating effectiveness of those controls, the last only provides the auditor's opinion on whether the service organization maintains effective controls over its systems. For this reason, SOC 2 reports are intended for an exclusive distribution list and are restricted-use reports (they can be distributed to any customer with the service organization's agreement), while SOC 3 reports are intended for general use and can be freely distributed via use of the AICPA SOC 3 web site.
Focusing on SOC 2 reports, it is important to mention that are also two types: Type 1 (design of controls only and only at a specific point in time) and Type 2 (design and operating effectiveness of controls covering a period of time).
Finally, all SOC 2 reports have the same content:
- Management's description of the service organization's system
- A written assertion by management of the service organization
- Design and operating effectiveness (Type 2 only) testing results
- The service auditor's expressed opinion (qualified - deviations noted, or nonqualified - clean).
Ultimately, SOC 2 reports involve an effort to normalize audit reports, so that they can be reused and understood by all their potential users in the most easy way.
And although, obviously, SOC 2 reports means a big evolution, they still demands an important effort to interpret from the potential user that, in our opinion, is their main weak point because it makes the user to:
- Understand the differences between reports of Type 1 and Type 2.
- Understand report coverage: Does it includes the relevant services for the user? Does it covers an useful period? There are any time lapses between reports?
- Analyze if principles considered are the relevant ones, because the service organization chooses the principles to be audited against them.
- Evaluate if the controls assessed are relevant for the user, because auditor only verifies controls defined by AICPA, but those controls and criteria do not have to suit users needs according to their risk profile.
- Analyze the impact of subservice organizations because management of service organization has two options to include them: carve-out method, that is, not including details about subservice organization systems and controls, or inclusive method, that includes a detailed description of those elements.
- Evaluate test procedures (time and extent) carried out to assess control operational effectiveness and, if applicable, observed deviations to interpret its materiality.
As a conclusion, although this reports could be useful in some situations, they do not solve the flexibility issue needed for this type of environments and they still require an interpretive effort and strong knowledge from the potential users of services.
From leet, as security rating agency, consider that our proposal is more intuitive and flexible, because instead of define minimum control levels, it defines a metric for vendors and users to reach a meeting point between what one needs and the other, offers.
You can follow us on twitter.com/leet_security