SSAE 16 “First to Fail”?
I’m still waiting for a service organization to write a press release that is:
- accurate
- replete of the word “certification“
- shows a moderate level of understanding about SOC attestations
- announces that the service organization conducted the right SOC attestation
This morning I was greeted with a press release from First To File ®, announcing that they have “passed” their SSAE 16 audit “for the third year in a row”. Hmmm. Considering the SSAE 16 standard wasn’t released until 2010 that’s a pretty neat trick! But that isn’t really why I’m writing about this press release. And I really am not trying to pick on First To File ®. Their press release just happens to contain many of the issues I have been trying to address with this blog. Apologies in advance.
It appears to me based on the description of First to File’s® business (patent prosecution support and document management service) that the SOC 1 audit was probably not the right type of SOC review for them to undertake in the first place. One of the primary reasons that the AICPA decided to do away with SAS 70 and create the SOC standards was because SAS 70 was being misused.
The AICPA white paper describing the new SOC standards says it best: “As organizations became increasingly concerned about risks beyond financial reporting, SAS 70 often was misused as a means to obtain assurance regarding compliance and operations.” 1 SOC 1 reports focus “solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements.” 2
So if First to File® is in the business of document management, how do their services have any relevance to a user entity’s financial statements? They are merely storing intellectual property (IP) in a web-based environment for their customers. The only impact to the financial statements of their customers would be the fees paid by the customer for the services rendered. You might even stretch things and conclude that the value of the IP is at risk since it is being stored and protected by a third party. But that still does not justify the use of a SOC 1 (SSAE 16) report.
Certainly their customers would be interested in knowing what types of controls over the security and confidentiality of that intellectual property First to File® has in place. This is precisely the scenario that the AICPA created the SOC 2 report for. It is intended for situations where a report is needed about controls at a service organization intended to mitigate risks related to security, availability, processing integrity, confidentiality, or privacy. Of these, it appears to me at first glance that customers of a company providing document management services would certainly be interested in controls around security, confidentiality, and privacy. Perhaps even availability since it would be important to know that the web-based services would be available when needed.
So why would First to File® decide to ask their auditor for an SSAE 16 report? Because the AICPA and many CPA firms have not sufficiently educated the marketplace regarding the intent and appropriateness of SOC 1 vs SOC 2 vs SOC 3. Which is why I felt compelled to share this blog.
I can’t really blame the marketing and public relations folks that drafted the First to File® press release. If CPAs and other controls experts can’t figure out the new standards, we shouldn’t expect marketing folks to get it. If anyone is at fault, it would be the CPA firm that undertook the engagement. They should have done a better job of explaining the options and steered the customer away from SOC 1 and toward SOC 2. If after thoroughly understanding the options, the company still elected to have a SOC 1 (SSAE 16) report prepared, then all we can say is “the customer is always right“.
1 Service Organization Controls: Managing Risks by Obtaining a Service Auditor’s Report – AICPA, Nov 2010
2 ibid
IT Controls Freak 
Right on David. I hope CPA firms that issued SOC1 (aka SSAE16) reports this year when they should have issued SOC2s get hammered in their peer reviews for it. That’s why I am feeding back this kind of information to the head of the peer review board.
Well done David,
Another example:
I recently submitted a request for Amazons “new” SOC report. I received the report and would like to point to some confusing if not incorrect reference of how Amazon is referring to this new report.
The PDF that we received is titled ” Description of Amazon Web Services System – Service Organization Control 1 Report – For the Period April 1, 2011 – September 30, 2011 ”
Shouldn’t the description of this type of report should actually be SOC 2 Type 1 report.
According to their site: Reference http://aws.amazon.com/security/ under Certifications and Accreditations.
Certifications and Accreditations
SOC 1/SSAE 16/ISAE 3402
“Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2 report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies. The SOC 1 report audit attests that AWS’ control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is on-going and we plan to continue our process of periodic audits. This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report.”
Amazon is referring to their report correctly. The type II indicates that the independent auditor assessed the AWS controls within the report. If it was a SOC1 Type I, the controls would not have been tested.
My main contention is not whether it is a type 1 or type 2, but rather whether it is a SOC1 or SOC2 report. As I can not share this report (NDA with Amazon prevents this) it is clearly a report that deals with the controls in place as they relate to “security, availibility, processing integrity etc.” (SOC2) and nothing to do with their finacial statements and controls. (SOC1)
I see… I thought you meant that Amazon mis-represented the type of SOC report that was issued. I think cloud providers will eventually publish two reports (SSAE16 SOC1 and a SOC2), however time was limited and customers are demanding a SSAE16 SOC1 report.
It will be interesting to see what reports are issued 12 months from now.
Mark,
A SOC 1 (SSAE 16) report is not intended to provide an opinion about Amazon’s financial statements or the controls surrounding their financial statements. It is meant to provide information about controls they perform that impact their CUSTOMER’s financial statements. The report is intended for auditors of Amazon’s customers so that they can determine how to plan and execute an audit of the financial statements of Amazon’s customers.
Based on the title of the report it appears that Amazon opted for a SOC 1 (SSAE 16) Type 2 report. If your question is whether they should have issued a SOC 2 Type 2 report, then I might agree, depending on any additional controls that might be described that impact their customer’s financial statements. My suspicion is that there are none. I would guess that the report speaks to elements of Security and Availability.
Again, I can only assume that AWS supplies IaaS or PaaS. I would be surprised if they offer any SaaS. As such, in my view, a SOC 2 Type 2 report would be more appropriate.
Question to Mark-
How did you go upon requesting the SOC1 report from Amazon? How is Amazon distributing the report?