Reporting for Service Organizations: Making Sense of SOC 1, SOC 2, SOC 3 and SSAE 16

With more and more organizations outsourcing business processes and systems, data is now being stored at third-party data centers.

Reporting for Service Organizations: Making Sense of SOC 1, SOC 2, SOC 3 and SSAE 16Until recently, many organizations relied on the legacy Statement on Auditing Standards (SAS) 70 reports to gauge the controls in place at these outsourced data centers. SAS 70 however was never intended for that. It focuses specifically on risks related to internal control over financial reporting (ICOFR), and does not cover crucial aspects, such as system availability and security.

In 2011, the American Institute of Certified Public Accountants (AICPA) replaced the antiquated SAS 70 reports with three Service Organization Control (SOC) reports. These SOC reports address a broader set of user needs for outsourced services. The SOC reporting framework for service organizations consists of SOC 1, SOC 2, and SOC 3 reports. While SOC 1 reporting is geared towards controls relevant to financial reporting, SOC 2 and SOC 3 reports cater to internal controls outside of that financial reporting.

SOC 1 reports is based on the Statement on Standards for Attestation Engagements No. 16 (SSAE 16), which offers a detailed description of the system and a declaration from the management. Organizations that opt for this report end up with a SOE 1 SSAE 16 Type 1 (system as it exists at a particular point of time) or SOE 1 SSAC Type 2 report (system as it exists for a particular time period). SOC 1 is the direct replacement for the old SAS 70, and organizations who simply shift from SAS 70 to SOC 1 actually do not do extend their scope of reporting. SSAE 16 is technically oriented towards service organizations with credible relationships with Internal Control(s) over Financial Reporting (ICFR.)

SOC 2 and SOC 3 offers a significant upgrade from SAS 70/SOC 1 as these are is specifically designed for Software as a Service (SaaS), cloud computing, and technology related service organizations.

Both SOC 2 and SOC 3 reporting is based on AICPA’s AT 101 professional standards, and encompass five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy.

  • Security: Whether the system is protected against unauthorized access. This covers both logical and physical deployments in place.
  • Availability: Whether the system is available for operation and use as per the stated commitments
  • Processing Integrity: Whether system processing is accurate, timely, complete and authorized.
  • Confidentiality: Whether information designated “confidential” is actually protected as agreed upon.
  • Privacy: Whether personal information is collected, used, retained, and disclosed in conformity with the stated commitments of the in-house privacy notice and also the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

The qualified auditor makes a report of the service organization on these parameters.

SOC 2 is a restricted-use report, containing detailed description and results of the service auditor’s tests of controls, and the auditor’s opinion on the description of the service organization’s system. A SOC 3 report in contrast is a general-use report that only states whether the system achieved the trust services criteria, without the description of tests and results, and without the auditor’s opinion on the description of the system.

Data centers may choose SOC 2 or SOC 3 depending on their requirements and client expectations. For instance, companies that outsource their operations would be concerned with privacy of the information and security of their data handled by the third-party data center. They would prefer a data center partner who has an SOC 3 seal .

Lifeline Data Centers is a fully compliant data center that offers flexible, tailor-made and fully compliant solutions for all your data center solutions. Let the compliance experts at Lifeline Data Centers help you solve your SSAE 16, TIA-942, NFPA, HIPAA, FISMA, FDA, PCI/DSS and Sarbanes Oxley audit problems. Lifeline delivers multi-level compliance solutions in audit-ready data centers with in-house expertise. Learn more.

Alex Carroll

Alex Carroll

Managing Member at Lifeline Data Centers
Alex, co-owner, is responsible for all real estate, construction and mission critical facilities: hardened buildings, power systems, cooling systems, fire suppression, and environmentals. Alex also manages relationships with the telecommunications providers and has an extensive background in IT infrastructure support, database administration and software design and development. Alex architected Lifeline’s proprietary GRCA system and is hands-on every day in the data center.