Effective June 15, 2011, Service Organization Control “SOC” Reports have replaced “SAS 70” Reports as the umbrella for multiple compliance and reporting requirements including HIPAA and PCI.
SOC reporting engagements result in three types of reports which address the policies, procedures and controls of an organization that processes transactions for others. The report provides reasonable assurance about the accuracy of the description of the organization’s control procedures, their appropriateness and, in certain cases, their operating effectiveness. To issue a report, an auditor reviews management’s control objectives and procedures.
Both SOC 1 and SOC 2 reports will be available in Type 1 (controls are properly designed, in place and documented at a point in time) or Type 2 (controls are properly designed, in place, documented and are operating effectively over a period of time).
The change from SAS 70 to SOC Reports was primarily designed to align with international accounting standards. However, the new change also provides options for companies that do not process financial transactions, but require assurance reporting as part of their services offering for their customers.
For many service organizations, complying with multiple industry standards and regulations is mandatory in order to do business with customers that trust them to safeguard the information they handle.
For example, a datacenter hosts a website that processes and stores credit card data, hosts an online prescription drug provider website, and provides co-location services to a publicly traded company. In this example, the datacenter is required to provide a Payment Card Industry (PCI) Report on Compliance (ROC), a Health Insurance Portability and Accountability Act (HIPAA) report, and a Service Organizations Controls (SOC) report, also known as SSAE16 or formerly known as a SAS70 report.
Each standard and regulation required its own third party audit every year adding to the cost of doing business, and draining time and resources away from core business activities. Now there is a solution.
Now there is a way for service organizations to combine multiple compliance requirements into one audit engagement. Changes in the audit standards that became effective June 15th, 2011, allow service organizations to include “additional subject matter” in their internal control descriptions. This additional subject matter may include anything that is not covered by the Trust Services Principles & Criteria (TSPC) including controls relating to PCI and HIPAA requirements for example, and any other specific controls required by customers.
Under the previous audit standards, service organizations had to document and follow their own controls that were often difficult to correlate to other standards that are based on predefined control criteria. The TSPC, on the other hand, cover the domains of Security, Availability, Processing Integrity, Confidentiality, and Privacy and are easily mapped to PCI DSS, NIST, ISO 27001, etc. providing service auditors with the capability of testing any controls that overlap one time.
Seizing upon this opportunity, and to fulfill the customer requirement for separate reports, Hancock Askew has partnered with CompliancePoint, a leading Qualified Security Assessor (QSA), to create an integrated audit framework that merges the TSPC controls with the controls from the other standards.
Through the combined engagement approach, service organizations only have to present audit evidence one time. It is then tested by the combined Hancock Askew / CompliancePoint team, and the results provide a basis for the SOC, HIPAA, and PCI reports issued separately by Hancock Askew and CompliancePoint.
At the conclusion of the audit engagement, Hancock Askew and CompliancePoint evaluate the results of the testing, and issue the reports separately as required by the governing bodies. Hancock Askew issues the SOC report covering the TSPC and any “additional subject matter”, and CompliancePoint issues the Report on Compliance (ROC) covering each of the additional subject matter areas individually. In the example given earlier, the SOC report, the PCI ROC, and the HIPAA ROC can be delivered to the service organization’s customer as requested.
We have developed our methodology to enable service organizations to be able to consolidate PCI and SOC, HIPAA and SOC, ISO 27001 and SOC, GLBA and SOC, FISMA and SOC, PCI, HIPAA, and SOC as well as all of the above under the SOC report umbrella. Any service organization that can take advantage of the opportunity presented by the new audit standards will benefit from increased audit program efficiency and reduced overall audit fees from your service auditors. This will leave more time and energy for concentrating on profitability and business growth.
Click here for frequently asked questions about SOC reports
Click here to connect with one of our SOC experts.
