SAS 70 isn’t a thing anymore and hasn’t been for awhile. SSAE 16 superseded the SAS 70 pronouncement in 2011. However, outside of a relatively small cohort of practitioners, how many people actually understand the SOC 1, SOC 2, SOC 3 branding?
You guessed it… hardly anyone. And it has been 6 years.
I know that accountants are not the greatest at marketing, but is this another instance of our profession making our lives harder than they need to be?
Overall, the terminology switch from SAS 70 to SOC 1 was confusing (and I argue that it still is…) and mix in SOC 2 and 3, forget about it. I am sure I wasn't the only one who sat in multiple CPE courses in 2011 to understand the nuances of the change. Maybe at this point CPAs, or at least those who deal with creating the reports, have a grasp of the minutiae, but it isn’t widely understood or fully utilized. With the blind reliance on these reports in financial statement audits, it makes me a bit concerned.
SOC 1 vs. SOC 2 vs. SOC 3
First off, who decided this SOC report thing was a good idea? Not only did we abruptly change the name of the SAS 70, we introduced two other similar (yet different) reports at the same time. Lovely. To this day, I don’t think clients really understand why the change occurred. Frankly, it’s not a bad idea to separate the name (SOC 1) from the underlying standard (SSAE 16). But, add a SOC 2 that points to AT 101 and clients’ eyes glaze over and just let you do your thing.
Oh, and when your client wants to share the SOC 2 report on their website (you know, to show how awesome they are at their internal controls), you have to say, “Hold your horses because that, my friends, is a restricted use report. What you need is a SOC 3 report for more general, public use… which, by the way, used to be a SysTrust℠ for Service Organizations report.”
Clear as mud, right?
Underappreciated Trust Service Reports
Don’t get me wrong. SOC 2 and 3 reports have their place. AICPA president Barry Melancon said at a conference in December that “we need a system where we can contractually require our technology suppliers to adhere to certain regulations.” I agree and after I discussed data breaches a couple of weeks ago it is clear we could be doing a better job keeping the bad guys at bay. The numbers are staggering.
But where do we turn? A CPA of course!
Can a SOC report meet this need? Maybe the greater adoption of SOC 2 reports would be beneficial and improve our confidence with regard to the trust services principles and criteria (e.g., security, availability, processing integrity, confidentiality, and privacy). The AICPA even offers a handy-dandy guide to map the SOC 2 findings to other frameworks including COBIT 5 and ISO 27001.
Am I making a big deal out of nothing? Maybe… but these reports should be more than just a document request item. Are CPAs the right people for the job to oversee the security of our information systems? I don’t know; but, the handful of practitioners that can cross into the technology domain successfully can make a pretty penny for their services.
So tell me, do your clients still ask when you are going to come out and start fieldwork for their SAS 70 report?