Service Organisation Controls (SOC) reports used to be conducted in accordance with "SAS70" in the US. A few years ago, SAS70 was replaced by SSAE16 (now SSAE18) in the US, ISAE3402 globally and ASAE3402 in Australia. The frequently used SOC 1 report focuses on financial reporting.
There are a few myths associated with SOC 1 reports. Three of the common myths that we have come across are:
Have you been told that your outsourced service provider is SAS70 (or SSAE16, ASAE3402, ISAE3402, SOC) certified?
This is a common misconception. The standards under which such REPORTS are provided are well defined, but the reports themselves do not represent CERTIFICATION.
Other standards - e.g. PCI DSS, ISO27xxx may allow for "certification".
SOC reports, on the other hand, are just reports with an opinion.
2. Qualified Opinions
Many SOC reports will contain qualified opinions.
This is not the same as a qualified financial audit opinion.
Because SOC reports are largely controls focused reports, the opinion is typically specific to the individual control objectives, while financial audit opinions are broader.
This doesn't mean that a qualification should be overlooked, but the specific reason(s) for qualification should be considered first.
3. Use of SOC 1 reports
Do you use the reports to determine the level of control associated with various IT risks?
SOC 1 reports are designed for financial statement misstatement risk - i.e. for use by the external auditors of the service organisation's customers. In fact, the reports will state that this is the intended use.
The reason that the relevant standards were created in the first place is that many service organisations (e.g. shared services providers) did not want multiple auditors coming in and asking the same questions, testing the same controls, etc. The SOC 1 report enables the shared service provider to have auditing performed once, then relied on by their customer's auditors for customer's financial audits.
Using a SOC 1 report to obtain comfort regarding all other risks (e.g. privacy) is dangerous - while there may be an element of overlap in risk/control, they are not designed to and will generally not cover related assurance requirements.
Note that there are also other SOC reports - e.g. SOC for Cybersecurity.
Use SOC 1 reports with care.
Have you come across any of these or do you have any other top myths to share?
*Note that the information above is a high level summary only and is not to be relied upon. Seek advice from your accountants, auditors, legal, compliance or equivalent.