By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
A Helpful History of SAS 70, SSAE 16, SSAE 18, and the SOC Audit
CPA firms have been providing service organization audit reports for several decades. In the early-90s, these reports took a leap forward when the AICPA issued Statement on Auditing Standards (SAS) No. 70. SAS 70 was the authoritative guidance that provided a mechanism for service providers to retain an auditor to issue a report that provides assurances over their internal controls.
As technology became a prominent fixture of the business world, organizations relying on technology service providers required assurances over the security of those organizations. For example, organizations using a 3rd party data center required assurances over the security at that data center.
As a result, technology focused service organizations and their auditors began using the SAS 70 standard for security-focused service organization audits. The SAS 70 standard, however, lacked a security framework because it was never intended for security audits. This caused SAS 70-based security reports to vary wildly from one organization to the next, which was detrimental to the goal of comparability between the reports of different organizations.
To alleviate these issues, the AICPA went through a period of issuing, updating, interpreting, and otherwise doing a lot of standard setting to get us to where we are today. Statement on Standards for Attesting Engagements (SSAE) 18 sets forth the auditing standards under which all Service Organization Control (SOC) exams, including SOC 1 and SOC 2 exams, are performed. The SOC 1 exam is the successor to the financially focused SAS 70, and the SOC 2 exam is the successor to the security focused audits performed under SAS 70. In addition to SSAE 18, SOC 2 exams are further guided by the Trust Services Criteria (TSC), which establishes a common framework for organizational and security compliance.
AICPA Trust Services Criteria
The TSC provides the framework to organizations and auditors that was missing in SAS 70. The TSC empowers organizations and their auditors to evaluate and report on controls over Security, Availability, Processing Integrity, Confidentiality, and Privacy. The TSC contains 61 total objectives and they are organized into two main areas Common Criteria and Additional Criteria.
The Common Criteria contains 33 objectives including objectives derived from the COSO Internal Control Integrated Framework as well as the Security related objectives. The Common Criteria are required for all SOC 2 engagements.
The Additional Criteria include 28 objectives spread between Availability, Processing Integrity, Confidentiality, and Privacy. These criteria are optional. Generally, the decision to include or exclude Additional Criteria from a SOC exam depends upon the expectations and contractual requirements of the service provider. For example, if the service provider has “uptime” guarantees in contracts, it will likely be appropriate to include the Availability criteria in the SOC exam.
You can download the full Trust Services Criteria directly from the AICPA here. The table below summarizes the major areas of the Trust Services Criteria, as well as the number of individual objectives/criteria in each section.
Trust Services Criteria Summary Table
|Reference||Trust Service Criteria Section||Number of Criteria|
|CC1.X||COSO – Control Environment||5|
|CC2.X||COSO – Communication and Information||3|
|CC3.X||COSO – Risk Assessment||4|
|CC4.X||COSO – Monitoring||2|
|CC5.X||COSO – Control Activities||3|
|CC6.X||Security Criteria Related to Logical and Physical Access Controls||8|
|CC7.X||Security Criteria Related to System Operations||5|
|CC8.X||Security Criteria Related to Change Management||1|
|CC9.X||Security Criteria Related to Risk Mitigation||2|
|P1.X||Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy||1|
|P2.X||Privacy Criteria Related to Choice and Consent||2|
|P3.X||Privacy Criteria Related to Collection||2|
|P4.X||Privacy Criteria Related to Use, Retention, and Disposal||3|
|P5.X||Privacy Criteria Related to Access||2|
|P6.X||Privacy Criteria Related to Disclosure and Notification||7|
|P7.X||Privacy Criteria Related to Quality||1|
|P8.X||Privacy Criteria Related to Monitoring and Enforcement||1|
In upcoming articles, we will go into detail in each one of these areas to provide companies additional guidance.
Keiter provides SOC Exam and Exam Readiness Services for all types of SOC exams. Our SOC services are provided by our Risk Advisory Services Team, which is led by experienced CPAs, CISAs, and technology professionals with industry experience. Our Risk Advisory Teams services a variety of industries and business types.
Additional SOC Resources
- How long does it take to get a SOC Report?
- Does your service organization need a System and Organization Control (SOC) Report?
- When to Choose a SOC 1 vs SOC 2 Report
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.