Procurement says SAS70;
Finance says SSAE 16;
Audit says SOC 2;
IT says ISO27001;
Supplier says pay, pay, pay.
But there's one fact
That no one knows . . .
WHAT DOES THE SOX SAY?
Any negotiation for cloud and outsourced services undoubtedly ends up in a debate over what audits are appropriate, what are required, and who will pay for them. With numerous stakeholders, the business owner is often left with a cacophonous chorus of meaningless "gering-ding-dingeringeding" and "Joff-tchoff-tchoff." So, from the lawyers perspective, let's try to sort out what each of the audits are, which ones are required by or helpful for compliance with Sarbanes-Oxley and other laws, and where they might be appropriate.
As relevant here, the Sarbanes-Oxley Act of 2002 (SOX) relates to the accuracy of reporting of a company's financials. Among other things, SOX requires the CEO to sign off on those financials. Because in most enterprises the CEO is not able to personally track the entire financial reporting process, companies have implemented controls that allowed the CEO and other executives to be confident in the financials (thereby also protecting the investing public). The Statement on Accounting Standards No. 70 (SAS-70) audit grew up against this backdrop as an audit to validate that sufficient controls are in place to enable accurate financial reporting.
SAS-70 audits came in two flavors: Type I, validating that controls are in place; and Type II, validating that those controls are actually applied.
As outsourcing (and later cloud) grew in parallel with this trend, customers were rightly focused on being sure that the functions outsourced to the supplier were governed by adequate controls. Thus, it became common practice to require that a supplier provide a SAS-70 for the outsourced services. Of course, everyone got so focused on requiring SAS-70s and arguing over who would pay, that the industry lost focus on the relatively narrow scope of the SAS-70. Soon, the SAS-70 became a proxy for a ensuring the quality of many areas of the service that had nothing to do with financial controls. Customers demanded SAS-70s without focus on what they were offering, and Suppliers trotted out SAS-70s to avoid the more robust conversations about other audits that might be appropriate.
In June, 2011, the American Institute of CPAs (AICPA) replaced the SAS-70 with a SOC (Service Organization Controls) 1 Audit (also known as an SSAE 16 audit), in part to conform to the requirements of the international standard covering the same financial controls--the ISAE 3402. Just like the SAS-70, the SOC 1 (SSAE 16) covers only financial controls. Similarly, the SOC 1 comes in the same Type I and Type II varieties. Where it was appropriate in the past to use a SAS-70, it is now appropriate to use a SOC 1. Where it was inappropriate to use the SAS-70, it is still inappropriate to use a SOC 1 (which has become the most common offering by the supplier community).
However, with the SOC 1, also came the SOC 2. The SOC 2 audit goes beyond financial controls and covers the following areas: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Sounds perfect for cloud and outsourcing agreements. Of course, these audits only cover the principles that are included within the scope of the audit--that is, you can have a SOC 2 that covers any or all of the foregoing areas. Also, SOC 2 audits can be burdensome to complete, and have a price tag that is often not borne readily by the supplier (although in some industries, a supplier may voluntarily undertake a SOC 2 so as to avoid custom audit requests from its customers). Like SOC 1, the SOC 2 also comes in Type I (controls are in place) and Type II (controls are being followed).
But that's not all. The AICPA did not stop with 2 SOCs (which rhymes with, but should not be confused with, SOX). The SOC 3 is typically applicable in website context and can be applied as a seal on a website. Because this is less commonly implicated in cloud and outsourcing transactions, we will defer further discussion of the SOC 3.
Finally, in addition to all of the audits created by the auditors, there are also standards from the technology side. Most notably, the ISO 27001 provides standards (against which one can be audited) that include 11 standards relevant to IT (e.g., security policies, asset management).
When listening to multiple voices about what audit applies, typically the auditors voice may be controlling, but even then, the auditors need to be armed with the deal context that only the business can provide so that they give real and meaningful answers, rather than knee-jerk answers (that may tend toward over-inclusion with a cost implication).
With thanks to Ylvis for inspiring us with "What Does the Fox Say."