When the American Institute of Certified Public Accountants (AICPA) released its Service Organization Controls (SOC) reporting structure in the latter half of 2011, some believed that the new SOC 2 concept of reporting on controls relevant to Availability, Confidentiality, Processing Integrity, Security, and/or Privacy using the prescriptive Trust Services Principles would play a prominent role in data center reporting. In the several months that have followed, anecdotal evidence suggests that SOC 1 (aka SSAE 16), which is the successor standard to SAS 70, remains the clear favorite of data centers and that SOC 2 has yet to gain significant any traction.
In leading BrightLine, one of the world’s largest providers of SOC reporting services, I have the unique opportunity to monitor trends in SOC reporting. I have observed that virtually every data center that previously underwent a SAS 70 audit has opted to continue with SOC 1 examinations. Some of these data centers elect to couple their SOC 1 examination with an SOC 2 examination, while almost none have elected to forego SOC 1 in favor of SOC 2.
In addition, I have noted that a recurring set of questions are being posed by data center providers. These questions, and the related answers, largely explain why SOC 1 / SSAE 16 remains so prevalent among hosting providers. As such, I would like to take an opportunity to share my views on these issues.
Are data centers still valid candidates for SOC 1 examinations?
Yes. Despite what you may have heard, there is currently no technical guidance prohibiting the application of SOC 1 to data centers so long as the data centers host systems relevant to user entities’ internal controls over financial reporting (ICFR).
Some people make the prima facie argument that hosting services have no obvious relevance to user entities’ ICFR, and thus, SOC 1 is not applicable to data centers’ services. A more detailed review of the appropriate guidance reveals that this argument is a subjective interpretation devoid of authoritative support. The AICPA’s SOC 1 guide directly contradicts this argument when it provides examples of valid candidates for SOC 1 examinations that, at first glance, are not obvious candidates for an SOC 1 examination. This list includes ISPs, Web hosting providers, and ASPs, including those that “provide services similar to traditional mainframe data center service bureaus”. (Ref. Par. 1.06 of the SOC 1 guide) Obviously, hosting services would fit quite comfortably within the range of these examples.
If we were seeking personal opinions on this matter, AICPA webinars would be an excellent source. Interestingly enough, a panel of AICPA experts openly confirmed that SOC 1 is applicable to data centers when applicability requirements are met, during a recent SOC reporting webinar. See the Q&A on this matter in the lower right corner of this screenshot – http://bizy.be/ttosO.
Beyond the guidance and expert opinions, we should consider market trends. With major data center providers announcing completed SOC 1 examinations on a weekly basis, these trends clearly show that the industry and the “Big 5” of SOC reporting (BrightLine + “The Big 4” global accounting firms) agree that SOC 1 can be applied to data centers. In other words, the debate about the applicability of SOC 1 to data centers is over.
Can data centers use SOC 2 as a substitute for SOC 1?
No. The first paragraph of the SSAE 16 standard states that the purpose of SOC 1 examinations is to report on “[…] controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.” Paragraph 1.10 in the SOC 2 guide states that the purpose of SOC 2 is to “[…] report on a service organization’s controls other than those that are likely to be relevant to user entities’ internal control over financial reporting.” This purposeful “poison pill” confirms that SOC 2 examinations cannot be used as a substitute for SOC 1 examinations.
Further guidance is found in the SAS 70 standard, which is still very much alive and has been revised to provide guidance to user auditors (i.e., the financial statement auditors of user entities). Paragraph 24 of the revised standard requires that the user auditors obtain a “service auditor’s report on a service organization’s description of the controls that may be relevant to a user entity’s internal control as it relates to an audit of financial statements […]”. As previously noted, SOC 2 cannot report on ICFR topics and is, therefore, not a viable alternative to SOC 1 for such purposes.
Are SOC 2 examinations “better” or “more appropriate” than SOC 1 for data centers?
No. There is absolutely nothing in the current guidance that supports personal opinions that SOC 2 is “better” or “more appropriate” than SOC 1 for data center examinations. Both guides contain unambiguous applicability requirements. Data centers either meet the requirements for SOC 1 and/or SOC 2, or they do not. In the absence of new AICPA guidance, all claims to the contrary are personal opinion and should be treated as such.
Is it true that SOC 1 does not address logical security, physical security and processing integrity topics?
No. The notion that SOC 1 does not address security or processing integrity is one of the most common errors made by those unfamiliar with SOC reporting. This error often sources to a misconception that SOC 1 examinations opine on financial reporting controls. As I noted above, SOC 1 examinations actually report on controls likely to be relevant to user entities controls over their own financial reporting, of which security and processing integrity controls are highly relevant. In fact, the SOC 1 guide includes multiple examples of control objectives and illustrative controls related to logical security, physical security and processing integrity of transactional services. (Ref. Par. 3.63, 4.48 & illustrative reports of the SOC 1 guide, among many others)
Can data centers undergo both types of examinations?
Yes. SOC 1 and SOC 2 examinations are not mutually exclusive examinations. Data centers are often valid candidates for both SOC 1 and SOC 2 examinations. They are part of a small portion of the overall service organization population for which this is likely to be true and worthwhile.
Why is this the case? Because data centers normally host systems that are relevant to the ICFR of some customers and not for others. Therefore, the former will only accept an SOC 1 report for reasons described above, while the latter are not authorized users of an SOC 1 report and may not rely on it to obtain assurance on topics such as availability, confidentiality, processing integrity, security and/or privacy. So while nearly every data center that formerly underwent a SAS 70 examination is continuing with an SOC 1 examination to meet the needs of certain customers, many of those organizations are seeing value in coupling it with an SOC 2 examination for the benefit of other customers.
While SOC 2 has potential, SOC 1 remains one of the most important assurance tools for hosting providers. Decision makers should recognize that data centers are often valid candidates for SOC 1 and SOC 2 examinations. Those providers considering either type of SOC examination should realize that it is never a matter of SOC 1 vs. SOC 2. The real decision is whether the organization should undergo an SOC 1 examination, and separately, whether the organization should undergo an SOC 2 examination. It is often advisable to engage a CPA firm with significant SOC reporting experience in these discussions. Such informed analysis may conclude that SOC 1, SOC 2, both, or neither, are appropriate for an organization’s particular circumstances.
Also published on Data Center Knowledge at http://www.datacenterknowledge.com/archives/2012/05/01/why-soc-1ssae-16-is-still-the-king-of-the-hill/