12-19-11 | Blog Post
If you’re in a business that needs to meet Sarbanes-Oxley compliance, you probably know by now that the SAS 70 report expired earlier this year and was replaced with the SSAE 16 attestation. SSAE 16 is a lot like SAS 70, but adds an attestation set forth and signed by a company’s management that confirms that the described controls are in place and functional.
You might have known that SSAE 16 is also called SOC 1. It’s just an alternative label for exactly the same thing.
And this might lead you to believe that the SOC 2 audit report is closely related to SOC 1 … but this couldn’t be further from the truth. The “little” difference between SOC 1 and SOC 2 amounts to a significant difference to companies who are using the reports as part of their due diligence to research prospective vendors. SOC 2 finally addresses the industry need for a consistent set of criteria against which companies can be measured and compared.
Oh, you didn’t know that SSAE 16/SOC 1 is an arbitrary measurement? It goes something like this – before an auditor steps foot into a company to be audited, the company gets to decide what they want to be audited on. It’s like getting to say what questions you want on your final exam. Companies are likely to specify those controls that are in their sweet spot, and that they know they will pass. Companies are likely to omit controls that are weak and ineffective.
What’s worse is that there’s no consistency in audit scope. Some companies specify a mere handful of controls to be audited, while others document exhaustive procedures that they are audited and reported on. Even though any company that passes an SSAE 16/SOC 1 audit can claim Sarbanes-Oxley (SOX) compliance, only a detailed scrutiny of the independent audit report will reveal what the company has elected to have audited, and the auditor’s opinion. No two SSAE 16/SOC 1 reports are the same! See the problem?
But wait, it still gets worse for companies who are using SSAE 16/SOC 1 reports as due diligence for vendor selection. By definition, SSAE 16/SOC 1 and the previous SAS 70 standard reviews financial and accounting controls of a service provider. So, when you review one of those reports, you’re getting confirmation that they keep their books well. While this may be one measure of honesty, wouldn’t you really care about the processes that you will be hiring them for? For example, if you were evaluating Online Tech as a hosting provider, would you rather see an independent audit report about our financial and administrative procedures, or an independent audit report about how we control the privacy, security, availability, integrity and confidentiality of our data center facilities and server hosting solutions?
This is where the SOC 2 audit and report comes in. Don’t be fooled into thinking that SOC 2 is a next level up from SOC 1. SOC 2 is a COMPLETELY different species. Here’s why. SOC 2 is the first and only audit and report that sets a pre-defined, consistent set of criteria specifically around the services that a company provides. That means that when you read and compare the SOC 2 reports from two different companies, you can finally compare apples to apples. And what’s even better, you get to compare the processes directly related to the services they will be providing you. While SAS 70 and SSAE 16/SOC 1 are designed to measure financial controls, the SOC 2 audit is designed to measure Service Organization Controls related to:
Alright, so you get that SOC 2 is a completely different audit than SOC 1. Ready for the next “gotcha”? There are actually two types of SOC 2 audits: a Type I and Type II. Just like SSAE 16/SOC 1, the Type I report just means that the company has stated that the controls are in place and functional. The Type II report is the real measurement and auditor validation that the stated controls actually ARE in place and actually ARE working. Put this all together, and the net is, you want to compare vendors who will share a copy of the independent SOC 2 Type II report.
Some cautionary tales: not all companies that position themselves to have “compliant solutions” are really independently audited. How do you know? Ask for a copy of the independent audit report. Expect that these will only be shared under an NDA (Non-Disclosure Agreement), but that’s fair considering that these reports describe the heart and soul of how a service organization runs its business. You might find that some companies won’t even provide their independent audit reports under NDA. Big warning sign. If a service-oriented company refuses to share their audit reports with a prospective customer, it’s impossible for you to prove to your board, shareholders, customers and regulators that you did your own due diligence. And for some industries, the stakes are too high to take this kind of a chance.
If you want an objective, relevant measure of how your vendor will be able to provide a secure, available, confidential and private solution of integrity, there is only one independent audit report to ask for: SOC 2 Type II. At the end of the day in our industry, when investors and clients want proof that a data center is going to be able to meet SLA obligations for server, data, and application uptime, they need to know that the processes and controls around security, availability, processing integrity, confidentiality and privacy are rock solid – not that a data center’s financial controls have passed review.
More references:
What is a SOC 2 report?
SSAE 18 vs. SSAE 16: Key Differences in the new SOC 1 Standard
SOC Report Comparison
American Institute of CPAs
UHY Advisors
Principal of UHY Advisors, David Barton’s blog