By Milton L. Petersen, published on September 1, 2011, in Tech Journal South.
Customers or users of outsourcing and cloud computing services are often, and justifiably, concerned about the risks associated their service providers, especially security-related risks. The American Institute of Certified Public Accountants (AICPA) has recently established a structure of Service Organization Control (SOC) reports to replace SAS 70 reports (i.e., reports produced pursuant to Statement on Auditing Standards (SAS) No. 70 issued by the American Institute of Certified Public Accountants (AICPA)), which have been used for years, often for purposes beyond their intended focus on financial reporting and controls.
The type of SOC reports that could be particularly useful in assessing security risks in outsourcing or cloud computing relationships are known as SOC 2 reports. SOC 2 reports can provide detailed information on a service provider’s controls that affect the security, availability, and processing integrity of the service provider’s systems, as well as the confidentiality and privacy of the customer’s information that is processed by those systems.
These five attributes (i.e., security, availability, processing integrity, confidentiality, and privacy) are referred to as the “trust services principles,” and SOC 2 reports may be required to address any or all of them. Obtaining information and assurances regarding the trust services principles can be especially important in heavily regulated industries such as health care and financial services, where stringent requirements to maintain the confidentiality and security of personal information apply
As with SAS 70 reports, SOC 2 reports may be either Type 1 or Type 2. Type 1 reports describe the controls used by the service provider, while Type 2 reports also involve a test of the design and effectiveness of those controls and describe the associated test results.
Thus, SOC 2 Type 2 reports can provide much more (and more useful) information to a customer and are generally the type of SOC reports that should be required in outsourcing or cloud computing contracts. SOC 2 reports are produced under the AICPA’s attestation standards, specifically, AT Section 101, Attest Engagements.
SOC 2 reports are generally “restricted use” reports that not only describe and test the service provider’s relevant controls, but also address how the service provider’s controls interface or interact with complimentary controls and procedures of the customer’s organization. SOC 2 reports may therefore help a customer understand or assess whether there are gaps or weaknesses at the boundaries where its systems and the service provider’s interact.
The service provider’s controls that are evaluated in creating a SOC 2 report are those relating to the service provider’s systems and the service that it provides to the customer. These controls address system components like the service provider’s infrastructure (facilities, equipment, networks), software (systems, applications, and utilities), people (developers, operators, users, managers), procedures (automated and manual), and data (files, databases, data flows). Thus, a SOC 2 Type 2 report can be very comprehensive and provide the customer with a wealth of information to help assess the associated risks.
Contracting norms have not yet emerged
SOC reports are very new and contracting norms with respect to them have not yet emerged. While a customer’s initial negotiating position should probably be to require the service provider to pay the costs of periodically producing SOC 2 Type 2 reports, it may be fair for the customer to bear some portion of the costs, to the extent the reports are specifically tailored to the customer’s organization.
It will probably take some time for the new Service Organization Control reports to become better understood and accepted. However, they certainly offer the potential to be very useful in understanding the risks associated with cloud computing and outsourcing relationships.
Milton L. Petersen is an attorney whose practice focuses exclusively on information technology-related transactions and issues. He is a partner in the Information Technology Practice Group at the law firm of HunterMaclean in Savannah, Georgia, and may be reached at 912-238-2629 or firstname.lastname@example.org.