Category: Cyber Security

What’s a better fit? An SOC 1 or an SOC 2?

What’s a better fit?

An
SOC 1 or an SOC 2?

The general term for third-party risk reporting by service organizations to user organizations is Systems and Organization Control Report or SOC report. This term originates from the American Institute of Certified Public Accountants (AICPA) as a replacement for the SAS70 framework.

These were previously called Service Organization Control reports. SOC is a series of reports originating in the US. ISAE 3402 aligns with the American Statement on Standards for Attestation Engagements (SSAE) 18 American standard. An ISAE 3402 report provides assurance on the description of a service organization’s system and the suitability of the design and operation of its internal control measures through a Service Auditor’s Report.

ISAE 3402 | SOC 1

In an ISAE 3402 | SOC 1 report, organizations define their own control objectives and controls and align them with customer needs. The scope of an ISAE 3402 typically includes all operational and financial controls affecting financial statements and general IT controls (e.g., security management, physical and logical security, change management, incident management, and system monitoring). In other words, if an organization hosts financial information that may affect your customer’s financial reporting, then an ISAE 3402 | SOC 1 audit report is the most logical for an organization to pursue and is likely to be requested. The ITGCs, operational controls, and financial controls are audited under the ISAE 3402 | SOC 1 framework.

In an SOC 1 audit, controls, used to accurately represent internal control over financial reporting (ICOFR), must be included if the organization is subject to SEC filings in the US.

Since the most important suppliers to financial institutions where IT service providers and, at a later stage, Cloud Service providers and data center/hosting providers have gained ground in the IT industry, SAS70, SSAE 18 SOC 1, and ISAE 3402 have become the most comprehensive and transparent standard for IT outsourcing and risk excellence. Organizations requiring an ISAE 3402 | SOC 1 report often consider ISAE 3000 | SOC 2 reports.

ISAE 3000 | SOC 2

ISAE 3000 | SOC 2 reports apply the Trust Services Principles and Criteria (TSPs). The TSPs are a set of specific requirements developed by the AICPA and Canadian Institute of Chartered Accountants (CICA) to provide assurance over security, availability, confidentiality, processing integrity, and privacy. An organization can choose the various aspects relevant to their customer’s needs. An ISAE 3000 | SOC 2 report may cover one or more principles. If your organization hosts or processes other types of information for your customers that do not affect their financial reporting, then an ISAE 3000 | SOC 2 is more relevant. In this case, your customers are likely concerned whether you handle their data securely and if it’s available to them as agreed upon. An SOC 2 report, similar to an SOC 1 report, evaluates internal controls, policies, and procedures.

SOC 1 OR SOC 2?

Organizations processing, hosting, or managing systems or information affecting financial reporting must always provide an ISAE 3402 | SOC 1. ISAE 3000 | SOC 2 applies when all systems and processes are unrelated to financial reporting. Data center, IaaS, PaaS providers typically report hybrid, with both an ISAE 3402 | SOC 1 for financial processes and systems and ISAE 3000 | SOC 2 for unrelated processes and systems. The content of both reports will be identical.

Third-party risk and ISAE 3402

Third-party risk and ISAE 3402

From full outsourcing of complex functions such as IaaS, PaaS services, or component manufacturing to small contracts with local service providers and suppliers, organizations in various sectors and sizes heavily rely on external service organizations.

Outsourcing activities result in cost savings, operational efficiency, or expanded expertise within the organization. Outsourcing also implies increased risk exposure. Understanding, analyzing, and effectively responding to risks as part of an enterprise risk management (ERM) approach is essential for minimizing exposure to financial losses, non-compliance with regulations, and reputational damage.

Understanding third-party risks

Third-party risk is not limited to multinational companies outsourcing key business functions to offshore suppliers. In today’s world, most organizations regularly engage with service providers as part of regular business operations, as discussed in the previous chapter. Even small businesses rely on service organizations for various activities, from hosting servers, IT support to payroll processing. The increase in outsourcing to third parties amplifies the potential risks organizations face.

Analyzing this third-party risk at any given time is essential for business continuity and maximizing the impact of risk management efforts. Given the significant reliance on data in most businesses, any third party with access to sensitive or confidential information can pose a potential risk to business continuity. When outsourcing, as with other categories, risk levels and hierarchies can be considered. These hierarchies and levels form the basis for setting risk priorities by management and the basis for the risk framework in an ISAE 3402 | SOC1 report.

Risk prioritization and ISAE 3402

Setting risk priorities is not a one-time exercise; all parameters can be adjusted over time, depending on factors ranging from economic developments to changes in the regulatory environment to evolving strategic initiatives. While not exhaustive, the types of third parties that typically pose a higher risk to your organization include service organizations such as:

  • Cloud computing/on-demand computing
  • Software-as-a-Service (SaaS)
  • Internet service providers (ISPs)
  • Credit card processing platforms
  • Online order fulfillment
  • Data center and co-location providers
  • HR and payroll administration
  • Third-party administrators (TPAs)
  • Printing and postal services
  • Third-party logistics services (3PL)
  • Accounts receivable processing and collection services
  • Third-party due diligence

Thorough due diligence before entering into a new third-party contract is just the beginning. Like business risks, third-party risks must be regularly and proactively managed throughout the lifespan of a vendor relationship, as parameters adjust over time. This involves leveraging internal audit, financial, legal, and – in many cases – independent auditors issuing an ISAE 3402 assurance opinion.

Expansion obtains ISAE 3402 Type II statement

Expansion obtains

ISAE 3402 Type II statement

Utrecht, April 25, 2019 – DMS provider Expansion obtained the  ISAE 3402 Type II statement in January 2019. Assisted by Securance, Expansion’s clients receive an objective confirmation of their service processes’ reliability. Conclude Accountants conducted the audit.

Digital archiving and document management

Expansion is a leading provider of digital archiving and document management solutions. It increasingly offers its solutions from the Cloud. Expansion enables organizations to fully outsource the management of their critical business information. To assure clients and their accountants of meeting the highest standards of information security, Expansion decided to obtain an ISAE 3402 Type II statement.

Implementation & audit

Securance and Conclude Accountants supported Expansion in the second half of 2018 with the ISAE 3402 report implementation and audited on various aspects: Is the service organization’s description accurate? Are the defined control measures adequately set up? Do the control measures effectively achieve Expansion’s goals? Conclude Accountants obtained confirmation on these aspects during the audit, enabling the issuance of the ISAE 3402 Type II statement.

Comprehensive selection

Expansion chose Securance and Conclude Accountants to guide the process, primarily for their extensive experience in this field.

Continuous process
Expansion found the collaboration highly constructive, contributing to elevating its services to even higher and more consistent levels. Obtaining the ISAE 3402 Type II statement isn’t the end for Expansion but a part of an ongoing improvement process, where Securance will continue to contribute. Initial arrangements for the upcoming audit have already been made.

About Expansion

With the standard DMS Xtendis, Expansion is one of the market leaders in the Netherlands in digital archiving and document management. Xtendis is increasingly taken as a Cloud service. Xtendis is used in the Netherlands by more than 650 organizations for various applications, including digital personnel files, order files, invoice processing, customer files, and mail processing. Xtendis unlocks a total of over 2.6 billion documents for more than 4 million users.

ISAE 3402 | SOC 1 Type I vs. Type II

Type I versus Type II

 

To clarify which SOC Types your organization needs, here’s the essential information.

There are two types of ISAE 3402 reports: a Type I report and a Type II report. Both reports are the same in content. The difference lies in the performed audit; in a Type I audit, the accountant determines whether the risk management framework and control measures cover the framework (design) and exist at a specific moment. To determine this, the accountant “walks through” processes. These controls are called walkthroughs. In a Type II audit, the accountant determines over a period of at least six months whether the control measures have actually been effective. A Type I report relates to one measurement point, and a Type II report relates to at least six months.

With a Type II report, a user organization has more certainty that the service is controlled as agreed. The period in which the ISAE Type II audit takes place is a minimum of six months unless there is a special situation, such as the purchase of a new organizational unit or the introduction of a new IT system.

The first audit always requires some extra work for the organization and auditor to build mutual understanding. Undergoing Type I to Type II spreads that business impact, as Type I requires fewer audit tests. For Type I, auditors test every sample of every control practice to confirm the transaction designs. For Type II, auditors select and test multiple samples from auditor populations. A Type I report paves the way for Type II without addressing everything at once.

One advantage of Type I reports is the flexibility during the audit, where “issues” can be identified before the report is released. These are not included as issues in the report because it is a snapshot at the time of recording.

ISAE 3402 advice?

ISAE 3402 reports are read not only by your customers but also by their accountants. A report that does not meet best practice or one that is less professionally described is likely to be recognized by your customer or your customer’s accountant as less professional. With Securance’s experience with ISAE 3402 since 2004, we are well-positioned to prepare a professional report. We can also provide you with appropriate advice on how to improve measures so that you have better control over the risks.

Learn more about Securance and ISAE 3402.