About Me

My photo
Jason Lannen is the Managing Director of TurnKey IT Solutions, LLC. Experienced IT Auditor and Consultant focusing on SOX 404, SOC 1 / SSAE 16 (formerly SAS 70), SOC 2, PCI, ISO 27000, Information Security and Data Analysis. Check out our website at http://www.turnkeyit.net and email us at info@turnkeyit.net for more information.

Sunday, January 22, 2012

SOC Reports: The customer is always right

The illustration above depicts a typical conversation that is currently happening between data centers and their potential customers.  There is confusion between data centers, their potential customers and even some accounting firms in understanding the changes that have taken place.   The SOC 1 / SSAE 16 Attested Standard has replaced the SAS 70 Audit Standard.  There are also SOC 2 and SOC 3. 
Which one is acceptable?  Which one is best?  I think that is the key question that we should help service organizations (i.e. data centers) answer at this time.
Let’s start with AICPA guidance, since they issued the changes in the first place:
Intended Use
SOC 1 / SSAE 16
SOC 1 / SSAE 16 reports “are specifically intended to meet the needs of the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user’ auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.”

SOC 2 reports “are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”

SOC 3 reports “meet the needs of users who need assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems used by a service organization to process users’ information, and the confidentiality, or privacy of that information, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report.”

Simply put, SOC 1 / SSAE 16 reports provide reasonable assurance that a service organization has internal controls over financial reporting.  Define reasonable?  That’s up to the service auditor that issues the SOC 1 / SSAE 16 report and user organizations (and their auditors) that evaluate it.
SOC 2 and SOC 3 reports are intended to provide users with information about the service organization’s controls in place that may affect security, availability, processing integrity, confidentiality and/or privacy of information.
While SOC 1 / SSAE 16 may not be the best option for a service organization to undergo, it’s what their customers are still asking for.  If a SOC 2 report is the better option than SOC 1 / SSAE 16, the accounting firm should inform the service organization about it.  As long as 1) the accounting firm (service auditor) performing the audit for the service organization is working within the rules issued by the AICPA and 2) the service organization knows the differences between the types of reports, and communicates the updates to their customers, what is the issue?
At the end of the day, the customer is always right.  It is our job to inform service organizations about the changes that have taken place, and let them decide which report they want.


  1. Great post. You did a great job of capturing the dilema facing service organizations. It would be great if you could plug "Risk Assurance Guy" into Google, and provide feedback after checking out my post on "Who will be held responsible for SOC1s that should have been SOC2's?" as well as "Examples of non-ICFR controls in an actual SSAE16". The bottom line is that CPA firms are prohibited from including non-ICFR controls in SOC1s or face qualified opinions in their peer review. They are not following the attestation standards if they include non-ICFR controls in a SOC1. So the CPA firms have a decision to make. Accept the engagement, and violate the standards, or do not accept the engagement, and follow the standards.

  2. This is great, Jason. A picture really is worth 1,000 words.

  3. That is an excellent article, and very representative of what's happening. The introduction of SOC 2 has not eliminated certain user entity's needs for SOC 1 to fulfill the requirements of their auditors. Is SOC 2 better suited for the data center environment? Probably so for those user entities that are relying on the report for something other than ICFR. Nonetheless, it is the user entity that drives the need so long as the respective auditors' are properly applying the standards set forth by the AICPA. Much is left to the interpretation of what controls are relevant to ICFR, and a business case still does exist to support the need for SOC 1 in a data centers from the perspective of some user auditors.

  4. Jason,

    You're almost there.

    My concern with the SOC 2 (and subsequent SOC 3 which serves more as a marketing report for the SOC 2) is the use of the AICPA's Trust Services Principles for Security and Availability published in 2006. It's out of date in Internet years.

    Even COBIT 4.1 published in 2007 is undergoing a re-write (COBIT 5.1) as we speak.

    ISO 27000, in its parts, have received updates all the way up until 2011. Reference here: http://mycima.net/r345gfer6/comms/docs/ISO%2027000%20Series%20Update%20-%2001_2012.pdf

    And the CSA CCM was updated in 2011. Disclosure, I'm an author.

    All Controls Frameworks mentioned so far are up-to-date, while the AICPA’s Trust Services Principles for Security and Availability is not and the basis for SOC 2 and 3 security assurance.

    When a CPA firm attaches the CSA CCM, for example, as "additional subject matter," this will hold a lot more weight for security professionals to gauge the actual security measures in place and practices followed at the Cloud Service Provider.

    We need further clarity on SSAE 16 (SOC 1) and SOC 2 (e.g. when to truly use what, why, and when), and believe that we need the "additional subject matter" to provide security assurance. For example, for publicly-held companies it seems as if a SSAE 16 (SOC 1) is required. If that same company is a cloud service provider, they should also have a SOC 2. For data centers, they need a SOC 2. If any of these companies are privately-held, they only need a SOC 2.

    Interesting to note, most international companies (everyone but the US) rely heavily on ISO 27001 certification to provide security assurance.


    Phil Agcaoili

  5. I'm with Phil. We can combine the best from each standard, assurance, and certification through the SOC2 vehicle. I'm excited about being on the ground floor of this.

  6. You've shared a great information about it solutions .Which remind me Articles like it companies in Dubai,it solution company .Just which are very informative for us.Thanks

  7. You, have shared a very worthy content thanks for the information.

    ISO certification company in india