Here’s a interesting fact – Your data has probably travelled across more countries than you have! Right now, your data is being handled and processed by different entities positioned in different countries. But most probably, you wouldn’t have even heard of the entity processing your data. If you didn’t submit your data to these entities, how did they get hold of it?
Let’s simplify this with an example. Say you are a resident in the United States. You have your bank in the United States. Let’s call your bank ‘X-bank’. While the X-bank takes care of the financial aspects of banking, it might not be necessary that the IT support operations of the bank are carried out by the IT team of the bank. More often than not, the bank might not have a dedicated IT team present within itself to take care of IT operations. The bank might have a tie-up with a giant IT company and might have outsourced its IT operations to this giant. This giant could be present anywhere in the world and might be processing data or resolving IT-related queries miles away from where your bank is present. In this case, let’s call the IT company – ‘Y-IT Services’. Y-IT Services provides IT support services for X-bank and thus will have access to the data of customers of X-bank. This is how your data might have gotten the opportunity to witness more of the world than you!
These kinds of companies that do outsourced work are called Global Capability Centers (GCCs). While our previous example spoke about IT support work, the work is not just limited to that. Global Capability Centers are facilities that concentrate workers and infrastructure to handle operations (back-office functions, corporate business-support functions, and contact centers) and IT support (app development and maintenance, remote IT infrastructure, and help desks), all with the notion that concentration can enhance productivity.
According to an estimate from Nexdigm, an international professional services firm, India is home to over 1,750 Global Capability Centers, which amounts to a massive 50% of all such centers globally. Domestically, GCCs employ over one million employees, generating a total economic value of around $28.3 billion.
Now, in the event that the work and data have been outsourced, the organization that outsources is called User Entity (‘UE’) and the organization to whom the data has been outsourced is called Service Organization. The User Entity must be cautious of how well the outsourced data is guarded and what security measures are present in the Service Organization to ensure data is protected.
But how does the User Entity ensure this? This is where Attestation Services come into play. Attestation engagement is a type of audit where an independent party provides assurance to the User Entity over the level of internal controls present in the Service Organization to ensure there is no risk of data breach or loss. The independent auditors provide their opinion on the level of internal controls for processing data present in the Service Organization through System and Organization Controls (SOC) Reports. Attestation reporting can effectively provide independent assurance over data management controls to both customers and regulators while also providing management with assurance that the controls in place are designed and operating effectively. SOC reporting can:
-Address risks and provide measures to mitigate risks
-Increase trust and transparency to internal and external stakeholders (User Entity and Regulators).
-Meet contractual obligations and marketplace concerns through flexible, customized reporting.
Test of Design vs Test of Effectiveness
SOC reports are of 2 types:
Type 1 – The Type 1 report is also called the Test of Design Report. Here, the independent auditor verifies if the controls in the Service Organization work effectively at a specific point in time. A Type 1 report describes the procedures and controls that have been installed, and whether they worked fine for just one sample.
Type 2 – The Type 2 report is called the Test of Operating Effectiveness Report. Here, this report provides evidence about how processes have been operated over a period of time. This time period, called the audit period, usually varies from 6 months to a year. In this case, the independent auditor takes evidence from throughout the audit period to get an idea of how the controls were operating during the audit period to provide their final opinion regarding the operating effectiveness of those controls over the audit period.
Different Types of SOC Reporting
Based on different requirements and different regulatory obligations, there are different types of SOC Reporting:
SOC 1 Reporting
A SOC 1 report is completed by an independent auditor that specializes in auditing IT and business process controls. This report is based on the standards provided by the Standards for Attestation Engagements (SSAE) 18, in the case of US entities. For other countries, this report is based on the standard provided by the International Standards of Attestation Engagement (ISAE- 3402). These are auditing standards issued by an organization like the American Institute of Certified Public Accountants (AICPA).
SOC 1 report focuses only on controls that directly or indirectly affect the financial statements of the User Entity. For instance, if the payroll processing of an User Entity is outsourced, the SOC 1 report will cover controls surrounding this process since this process will have a significant impact on the finances of the User Entity.
SOC 2 Reporting
SOC 2 Report is imperative for any User Entity dealing with an IT vendor. SOC 2 deals with the examination of controls of a service organization over one or more of the ensuing Trust Service Criteria (TSC). The TSCs have been developed based on the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) and are: Privacy, Security, Confidentiality, Availability and Processing Integrity
SOC 2 is an auditing procedure that ensures that service providers securely manage data to protect the interests of the User Entity and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider. SOC 2 reports are unique to each organization. In line with specific business practices, each organization designs its own controls to comply with one or more of the trust service criteria.
SOC 3 Reporting
The SOC 3 is a public report of internal controls over security, availability, processing integrity, and confidentiality. The difference between a SOC 2 and SOC 3 is in the intended audience of the reports. A SOC 2 report is intended only for the clients of the Service Organization and not for the general public. However, a SOC 3 is for the general public. These reports are shorter and do not include the same details as a SOC 2 report, which is distributed to an informed audience of stakeholders. Due to their more general nature, SOC 3 reports can be shared openly and posted on a company’s website with a seal indicating their compliance.
In this increasingly global and digital business landscape, companies enter partnerships with service providers who can implement and manage areas such as IT or accounting. Before a company hands over the keys to its infrastructure or accounts, it must gain comfort that its partner is trustworthy, secure, and operating according to industry requirements. A SOC report is the “trusted handshake” between service providers and their clients.
-Rekha Chander (Freelancer)
Picture Credits: computools.com