Increasingly, service organizations are receiving requests to provide assurance regarding the effectiveness of the controls over their

information technology environment. Organizations have historically provided a SAS 70 controls report to meet these demands. As the SAS 70 report was focused specifically on internal controls over financial reporting, other operational and compliance risks were not addressed. Over time, user organizations have begun requesting assurance regarding controls to mitigate risks beyond traditional financial reporting risks. To address these new requests for reports, the American Institute of Certified Public Accounts (AICPA) established additional options for reporting on controls at service organizations, known as service organization controls (SOC) reports (SOC 1, SOC 2 and SOC 3). Effective for reporting periods ending after June 15, 2011, SOC 1 replaces the former AICPA Statement on Auditing Standards (SAS) 70 report standards. The SOC 1 report focuses on controls relevant to a user entitys financial statements and use of the report continues to be restricted to the user entity and their financial statement auditors. SOC 1 engagements are performed in accordance with the AICPA Statement on Standards for Attestation Engagements (SSAE) 16. This white paper focuses on the other two options of controls reporting, the SOC 2 and SOC 3 reports. These can provide operation and compliance assurance beyond financial reporting. Both SOC 2 and SOC 3 reports are examinations performed under the general attestation framework established by AT Section 101, Attest Engagements (AICPA, Professional Standards), and utilize the criteria defined within the Trust Services Principles, Criteria and Illustrations that address one or more of the following key system attributes: Principle Security Availability Processing integrity Confidentiality Privacy Description The system is protected against unauthorized access (both physical and logical) The system is available for operation and use as committed or agreed System processing is complete, accurate, timely and authorized Information designated as confidential is protected as committed or agreed Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entitys privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Charted Accountants

The two reports offer various options that meet specific needs.

Service organization controls report 2 (SOC 2) The SOC 2 report has the look and feel of the former SAS 70 or current SOC 1 report. The SOC 2 report can include the suitability of design of controls in meeting the applicable trust services criteria for a point in time (Type 1) or design of controls and operating effectiveness for meeting the applicable trust services criteria for a period of time (Type 2). The Type 2 report includes a separate section disclosing the specific company controls to achieve the criteria along with the service auditors description of tests performed and related test results. Both Type 1 and 2 reports include a detailed description of the service organizations system for which the auditor provides an opinion on the fairness of presentation. A SOC 2 report includes managements description of the service organizations system and an affirmative statement (or assertion) by management that the description is fairly presented, that the controls included in managements description of the service organizations system were suitably designed throughout the specified period to meet the applicable trust services criteria and, for a Type 2 report, that the controls in managements description of the service organizations system operated effectively throughout the specified period to meet the applicable trust service criteria. When the service organizations description of the system addresses the privacy principle, management also asserts that they complied with the commitments in its statement of privacy practices throughout the specified period. Because the SOC 2 report discloses the specific criteria tested, certain criteria within a principle can be excluded from the scope of the report (i.e., testing not performed by the service auditor) if they are not relevant to the organization. For example, if a service organization utilizes a subservice organizations data center facility, the particular measures related to physical access do not have to be tested by the service auditor. In such circumstances, the carve-out method could be utilized related to the control activities performed at the subservice organization. However, if the user organization prefers to include all criteria related to the principle, the inclusive method would be appropriate. If the carve-out method is utilized for the subservice organization, the system description must include the following information: The services provided by the subservice organization The various criteria that are intended to be met by controls at the subservice organization

The types of controls expected to be implemented at the carved-out subservice organization that are necessary to meet the criteria If the system description addresses the privacy principle, the description of the subservice organization should include any aspects of the personal information life cycle for which responsibility has been delegated to such an organization and the types of activities it would need to perform to comply with the service organizations privacy commitments.

The SOC 2 report is intended for use by specific parties who have an understanding of the service organization and its controls, such as current customers, regulators, business partners, suppliers and management. Service organization controls report 3 (SOC 3) The SOC 3 report, like the SOC 2, utilizes the criteria in the AICPA Trust Services Principles Criteria and Illustrations. There are, however, various differences that should be considered. The SOC 3 report does not include a detailed description of the systems controls. The report requires a brief system description that is used to delineate the boundaries of the system under examination.

The service auditor would not provide an opinion on the fairness of managements system description, and the description must include the following five components: Component Infrastructure Software People Procedures Data Description The physical and hardware components of a system (facilities, equipment, and networks) The programs and operating software of a system (system, applications and utilities) The personnel involved in the operation and use of a system (developers, operators, users and managers) The programmed and manual procedures involved in the operation of a system (automated and manual) The information used and supported by a system (transaction streams, files, databases and tables

In addition to the system description discussed above, the report would include managements assertion and the service auditors opinion. The specific controls to achieve the criteria and the service auditors description of tests performed and related test results are not disclosed in the SOC 3 report. All the criteria within a principle must be within the scope of the report and therefore, do not allow the opportunity to exclude certain criteria or utilize a carve-out method for subservice organizations. Managements assertion would include assurance that effective controls were maintained over the specific principle during the specified reporting period, and managements system description identified all the relevant aspects covered by the assertion. If complementary user-entity controls are significant to achieve the applicable trust services criteria, a SOC 3 unqualified opinion could not be issued, since the report does not include a detailed description to separately identify the necessary complementary user-entity controls, along with the criteria that cannot be met by the service organizations controls alone. The key advantage of the SOC 3 report is there are no restrictions on the distribution of the report, so it can be freely distributed to current or prospective customers. Thus, the report can serve as a marketing tool to demonstrate effective controls for the various trust principles. In addition, the report can be delivered in the form of a seal (SysTrust for Service Organization), which could be displayed on the service organizations website. The seal is provided to the service organization by the 4

Canadian Institute of Chartered Accountants (CICA) at a cost of $3,000 per year. The service auditor is required to be licensed with CICA to use the seal. Service organization control (SOC) report summary SOC 2 Type I or Type II Option SOC 3 Every criteria within a principle must be included (cannot exclude Ability to exclude one or more criteria) criteria within a principle, if the criteria Complementary user-entity is not applicable to the service organization controls are significant to achieving the applicable trust services criteria, a SOC 3 Ability to carve out a subservice unqualified opinion could not be issued organization Specific controls and auditors Includes user organizations testing not disclosed specific controls and service auditors Limited system description to test procedures define boundaries of system, which is not Description of the system is part of the auditors report (opinion) included and the auditor must Cannot carve out a subservice opine on the fairness of description organization Restricted distribution General distribution report Conclusion Ability to obtain a SysTrust seal on your website Service organization controls reporting can be a complex process, and there are several steps that should be taken to help ensure that organizations provide the right information to help alleviate concerns regarding operational and compliance risks. These include: Choosing the appropriate SOC report

Performing assessments and gap analysis over the design and operation of controls (i.e., SOC readiness) Preparing and issuing the SOC report on controls over the requested system

In many cases, it is in an organizations best interest to consult an outside advisor to help confirm the effectiveness of your organizational controls. From assisting in preparation to performing the attestation engagement, a qualified advisor can help ensure that internal controls are well designed,

established and operating effectively to meet the requirements for issuance of any of the SOC reports. McGladrey is the brand under which RSM McGladrey, Inc. and McGladrey & Pullen, LLP serve clients business needs. The two firms operate as separate legal entities in an alternative practice structure. McGladrey & Pullen is a licensed CPA firm providing assurance services. RSM McGladrey provides tax and consulting services. RSM McGladrey, Inc. and McGladrey & Pullen, LLP are members of RSM International (RSMI) network of independent accounting, tax and consulting firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. McGladrey, the McGladrey signatures, the McGladrey Classic logo, The power of being understood, Power comes from being understood and Experience the power of being understood are trademarks of RSM McGladrey, Inc. and McGladrey & Pullen, LLP.