Executive Summary

This Legal Alert complements our Legal Alert dated May 19, 2011, relating to SOC 1 reports entitled Outsourcing: SAS 70 Superseded for Service for Service Provider Controls Reporting by SSAE 16 (SOC 1 Legal Alert) and completes our coverage of the new service organization control reporting framework (SOC 1, SOC 2 and SOC 3) established by the American Institute of Certified Public Accountants (AICPA).

Customers (user entities) engaging outsource service providers (service organizations) to perform services involving the collection, processing, transmitting, sorting, organizing, maintaining or disposing of user entity information expose themselves to additional risks associated with the system utilized by the service organization to deliver the services. The user entities and the management of these user entities remain ultimately accountable to the various regulatory bodies and user entities’ stakeholders (boards of directors, shareholders, customers, etc.) for the successful and compliant conduct of the user entities’ outsourcing arrangements with service organizations.

With the AICPA’s issuance of its Guide: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, updated May 1, 2011 (SOC 2 Guide), accountants for service organizations (service auditors) are now able to issue three service organization control reports in the AICPA framework – SOC 11, SOC 2 and SOC 32 reports. This framework of reports provides user entities’ management with tools to obtain certain assurances regarding the performance of outsource service providers’ service delivery systems.

Following the SOC 2 Guide, service auditors may issue SOC 2 type 2 reports on the service organization’s controls over its systems used to perform, provide and deliver the services to a specific user entity. SOC 2 type 2 reports have the flexibility to cover some or all of the five “trust services principles” – security, availability, processing integrity, confidentiality and privacy. Specifically, these reports contain (1) the service organization management’s description of the service organization’s system, (2) a detailed description of the service auditor’s tests of the operating effectiveness of the service organization’s controls, and (3) the results of those tests, which enable the user entity’s management to better assess, address and report on the risks associated with the outsourced services.