The illustration above depicts a typical conversation that is currently happening between data centers and their potential customers. There is confusion between data centers, their potential customers and even some accounting firms in understanding the changes that have taken place. The SOC 1 / SSAE 16 Attested Standard has replaced the SAS 70 Audit Standard. There are also SOC 2 and SOC 3.
Which one is acceptable? Which one is best? I think that is the key question that we should help service organizations (i.e. data centers) answer at this time.
Let’s start with AICPA guidance, since they issued the changes in the first place:
SOC 1 / SSAE 16
SOC 1 / SSAE 16 reports “are specifically intended to meet the needs of the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user’ auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.”
SOC 2 reports “are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”
SOC 3 reports “meet the needs of users who need assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems used by a service organization to process users’ information, and the confidentiality, or privacy of that information, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report.”
Simply put, SOC 1 / SSAE 16 reports provide reasonable assurance that a service organization has internal controls over financial reporting. Define reasonable? That’s up to the service auditor that issues the SOC 1 / SSAE 16 report and user organizations (and their auditors) that evaluate it.
SOC 2 and SOC 3 reports are intended to provide users with information about the service organization’s controls in place that may affect security, availability, processing integrity, confidentiality and/or privacy of information.
While SOC 1 / SSAE 16 may not be the best option for a service organization to undergo, it’s what their customers are still asking for. If a SOC 2 report is the better option than SOC 1 / SSAE 16, the accounting firm should inform the service organization about it. As long as 1) the accounting firm (service auditor) performing the audit for the service organization is working within the rules issued by the AICPA and 2) the service organization knows the differences between the types of reports, and communicates the updates to their customers, what is the issue?
At the end of the day, the customer is always right. It is our job to inform service organizations about the changes that have taken place, and let them decide which report they want.