Overview of AICPA SOC Suite

of Services
Prepared by:
Rushabh Pinesh Mehta
Disclaimer
• This presentation is made by me as per my knowledge and experience
• This presentation is only for knowledge sharing purpose
• This presentation conveys my personal views and opinions which are in no
manner associated with my current or any of the previous organizations
• Illustrations used in the presentation are only for knowledge sharing
purpose
• I do not promote / endorse any organization, services, products or tools in
any manner
• This presentation is prepared just to give back to the Information Security
Community in these difficult times
Agenda
• History / Evolution
• Basic Key Terminologies
• What is SOC reporting and its benefits
• AICPA SOC Suite of Services
• Attestation Standards
• Difference between SOC 1, SOC 2 and SOC 3
• Type of SOC Reports
• SOC Report Structure / Sections of SOC reporting
• Section on System Description
• Additional Terminologies
• SOC 1 control examples
• Overview of SOC 2 and SOC 3 Trust Services Criteria
• Bridge Letter
History / Evolution
• 1974: SAS 3 - The effects of Electronic Data Processing (EDP) on the auditor’s study
and evaluation of internal control
• 1982: SAS 44 - Special-purpose reports on internal accounting control at service
organizations
• 1992: SAS 70 - Service Organizations
• 1997: WebTrust - Principle and criteria for electronic commerce
• 1999: SysTrust - Principles and criteria for system reliability
• 2003: Trust Services Criteria (TSC) - merger of WebTrust and SysTrust
• 2010: SSAE 16 - Reporting on controls at a service organization
• 2011: SOC 1®, SOC 2® and SOC 3®
• 2018: SOC for Cybersecurity
• 2020: SOC for Supply Chain
Some of the basic key terminologies
• User Entity (UE): Entity / Organization that uses the services provided by
the service organization

• Service Organization (SO): An organization or segment of an organization

that provides services to User Entities

• Sub-service Organization (SSO): An organization to whom Service

Organization outsource the part of the service that they deliver to User
Entities

• Service Auditor (SA): Independent CPA who audits Service Organization

and provides SOC attestation
What is SOC reporting?
• Full-form of SOC is System and Organization Controls

• Note: The full-form of SOC is not Service Organization Control

• It is a report based on AICPA defined attestation standards / guidelines and

performed and provided by Service Auditors

• Hence, SOC for Service Organizations reports are internal control reports, which
independent CPAs (Service Auditors) provide, on the services that a service
organization provides to user entities

• Note: SOC is not a Certification

Why SOC Report / Benefits of SOC attestation
• Useful for evaluating the effectiveness of controls related to the services performed by a
service organization

• Appropriate for understanding how the service organization maintains oversight over
third parties that provide services to customers

• Help reduce compliance burden by providing one report that addresses the shared needs
of multiple users

• Enhances the ability to obtain and retain customers

• Reduces compliance costs and time spent on audits and filling out vendor questionnaires
AICPA SOC Suite of Services
• SOC 1® - SOC for Service Organizations: ICFR
• Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
(ICFR)

• SOC 2® - SOC for Service Organizations: Trust Services Criteria

• Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or
Privacy

• SOC 3® - SOC for Service Organizations: Trust Services Criteria for General Use Report
• These reports are designed to meet the needs of users who need assurance about the controls at a service
organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need
for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC
3® reports can be freely distributed

• SOC for Cybersecurity

• A reporting framework for communicating information about the effectiveness of cybersecurity risk management
program to a broad range of stakeholders

• SOC for Supply Chain

• An internal controls report on a vendor’s manufacturing processes for customers of manufacturers and distributors
to better understand the cybersecurity risk in their supply chains
Attestation Standards
• SSAE 18 (Statement on Standards for Attestation Engagements No.18)
• AT-C Section 105: Concepts common to all attestation engagements
• AT-C Section 205: Examination engagements

• SOC 1:
• AT-C Section 320: Reporting on an examination of controls at a service
organization relevant to user entities’ internal control over financial reporting

• International Standard on Assurance Engagements (ISAE) No. 3402

SOC 1 v/s SOC 2 v/s SOC 3 (1)
Attribute SOC 1 SOC 2 SOC 3
Purpose / Area Solely on systems and controls at the service Operational controls Same as SOC
of focus organization that may be relevant to user 2 but can be
entities’ internal controls over financial made public
reporting
Summary Detailed report for users and their auditors Detailed report for users, Short report
their auditors, and that can be
specified parties more
generally
distributed
Defined scope • Classes of transactions • Infrastructure
of system • Procedures for processing and reporting • Software
transactions • Procedures
• Accounting records of the system • People
• Handling of significant events and conditions • Data
other than transactions
• Report preparation for users
• Other aspects relevant to processing and
reporting user transactions
SOC 1 v/s SOC 2 v/s SOC 3 Continued (2)
Attribute SOC 1 SOC 2 SOC 3
Control domain • Transaction processing controls • Security
options • Supporting ITGC • Availability
• Confidentiality
• Processing Integrity
• Privacy
Level of Control objectives are defined by the • Principles are selected by the service provider
Standardization service provider, and may vary • Specific predefined criteria are evaluated
depending on the type of service rather than control objectives
provided
Useful to • Financial services • Cloud-based services (SaaS, PaaS, IaaS)
• Asset management and custody • Managed Security services
services • Data Center co-location / managed
• Healthcare claims processing infrastructure services
• Payroll processing • IT systems management
• Payment processing • Any service where customers’ primary
• Cloud ERP service concern is security, availability, confidentiality,
processing integrity or privacy
Types of SOC reports - Type I v/s Type II
Type I Type II
Applicable for both SOC 1 and SOC 2 Applicable for both SOC 1 and SOC 2
It is a point-in-time report It is over a period of time covering the nature,
extent and timing
Focuses only on the Design and Implementation (D&I) of Focuses on the Operating Effectiveness (OE) in
internal controls at SO addition to Design and Implementation (D&I) of
internal controls at SO
User Auditor cannot rely on Type I report / work User Auditor can rely on Type II report / work
As it is point-in-time and only TOD report, it does not Minimum period that needs to be covered is 6
have any minimum period months
It does not cover the detailing of the internal controls It covers the details about the internal controls
description description along-with the test results
When to go for Type I SO can directly go for Type II attestation report as
• New service / new report. Thus, first year reporting well without having attestation done for Type I
considerations
• The service organization has recently made
significant changes to the system and related controls
• The service organization’s system has not been in
operation for a significant length of time
SOC report structure / Sections of SOC reports
Section # SOC 1
Section 1 SA’s Opinion
Section 2 Management’s Assertion
Section 3 System Description
(including controls)
Section 4 • Control Objectives
• Control Activities
• Tests of OE*
• Results of Tests*
* applicable for Type II
Section 5 Additional Information
SOC 2 SOC 3
SA’s Opinion SA’s Opinion
Management’s Assertion Management’s Assertion
System Description System Description
(including controls) (including controls)
• Criteria Criteria (referenced)
• Control Activities
• Tests of OE*
• Results of Tests*
* applicable for Type II
Additional Information
What to include in Section 3 - System Description
Scope of report and disclosures Relevant aspects of:
• Scope and overview • Control Environment
• Sub-service organization(s) • Risk Assessment
• Significant changes during the examination period • Information and Communication Systems
• Using the work of Internal Audit function • Monitoring Activities
Overview of Operations and the Systems • Policies and Practices
• Company Overview and Background Point of Focus*, Criteria*, Control Objectives and
• Overview of the Data Center Services System (if Related Controls
applicable) * - applicable for SOC 2
Overview of relevant Infrastructure Complementary User Entity Controls /
• Infrastructure Considerations (CUECs)
• Software
• People
• Procedures
• Data
Some additional terminologies
• Complementary User Entity Controls / Considerations (CUECs)
• Controls that the Service Organization has included within its system and rely on the user
entities to implement them in order to achieve the service organization's control objectives

• Complementary Sub-service Organization (SSO) Controls / Consideration (CSOCs)

• Controls that management of the Service Organization expects will be implemented by the
subservice organizations and necessary to achieve the control objectives stated in management’s
System Description, when the carve-out method of reporting is used

• Mutually Carve-Out: rely on SOC reports of SSO

• Mutually Inclusive Method / Carve-In: Obtain the rights to audit SSO in case of absence
of SSO’s SOC reports
Examples of Control categories for SOC 1
• Entity level Controls
• Customer Provisioning
• User Access Management
• Change Management
• Incident and Problem Management
• Physical Security
• Environmental Security
• Systems Availability
• Backup processes
• Network Monitoring
• Information Security
Overview of SOC 2 and SOC 3 Trust Services
Criteria (TSC)
Trust Services Criteria Description
(TSC)
Security The system is protected against unauthorized access, use, or
modification
Availability The system is available for operation and use as committed or agreed
Confidentiality Information designated as confidential is protected as committed or
agreed
Processing Integrity System processing is complete, valid, accurate, timely, and authorized
Privacy Personal information is collected, used, retained, disclosed, and
disposed / destroyed in conformity with the commitments in the
entity’s privacy notice and with criteria set forth in generally accepted
privacy principles (GAPP) issued by the AICPA and CPA Canada
SOC 2 and SOC 3: TSC - Security
• IT Security Policy
• Security awareness, and communication
• Risk assessment
• Logical, and Physical access
• User authentication
• Change management
• Incident, and Problem management
• Asset classification, and management
• Configuration management
• Vulnerability and Patch management
• Security Monitoring, and Compliance
SOC 2 and SOC 3: TSC - Availability
• BCP and IT-DR Policy, and Plan
• Backup, and restoration
• Environmental controls
• Disaster recovery
• Business continuity management
SOC 2 and SOC 3: TSC - Confidentiality
• Confidentiality Policy
• Confidentiality of inputs
• Confidentiality of data processing
• Information disclosures (including third-parties)
• Confidentiality of Information in systems development
SOC 2 and SOC 3: TSC - Processing Integrity
• System processing integrity policies
• Completeness, accuracy, timeliness and authorization of inputs,
system processing, and outputs
• Information tracing from source to disposition
SOC 2 and SOC 3: TSC - Privacy
• Privacy management
• Privacy Notice / Statement
• Choice, and Consent mechanism
• Collection
• Use, and retention
• Access
• Disclosure to third parties
• Quality
• Breach notification
• Monitoring, and enforcement
Concept of Bridge Letter / Gap Letter
• A bridge letter, also known as a gap letter, is simply a letter that
bridges the “gap” between the service organization’s report date (in
layman language: SOC report’s audit period end-date) and the user
organization’s year-end (i.e., calendar or fiscal year-end)

• This letter is on the service organization’s letterhead and signed

by the service organization, not the service auditor that
performed the SOC examination
Bridge Letter Components
• The SOC report end date

• Material changes in the internal control environment (if any)

• A statement that the service organization is not aware of any other material changes
outside of what is listed in the bridge letter (if any)

• A reminder that user organizations are responsible for following the complementary user
entity controls / considerations

• A request for user organizations to read the report

• A disclaimer that the bridge letter is not a replacement for the actual SOC report
Some additional resources / references
• AICPA SOC Suite of Services -
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.ht
ml
• Mappings Relevant to the SOC Suite of Services -
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrel
evanttothesocsuiteofservices.html
Questions?

Thank you!