By Angelique Carson, CIPP

One size does not fit all when it comes to trying to determine what type of audit report to use under the American Institute of CPAs’ new attestation standards. That’s according to Richard Hannmann of KPMG who recently co-chaired the IAPP KnowledgeNet “The Death of SAS70: SOC It To Me.”

The bicoastal meeting, which Hannmann co-chaired from Boston and KPMG’s Doron Rotman, CIPP, simultaneously co-chaired from San Francisco, aimed to identify IT and financial service organizations’ risks when it comes to third-party service providers; discuss the ways audits can be considered a good business practice; identify the types of reports available under the new attestation standard—Statement on Standards for Attestation Engagements (SSAE) No. 16—which recently replaced the nearly 40-year-old standard Statements on Auditing Standards (SAS) 70—and discuss which reports would be most useful to an organization’s needs.

As outsourcing to third parties becomes increasingly common and privacy and breaches dominate headlines, audits to measure internal data controls are of great interest to regulators and government oversight departments.

Therefore, ensuring accountability is essential when it comes to using third-party service providers, Rotman said. As more and more personal data is outsourced, there must be standards extended to the service provider on data accountability, security and integrity; use and onward transfer of data from one third party to another; contract management; data integrity, and the monitoring and enforcement of laws and regulations.

It’s essential that an organization has a repeatable and scalable process for the data lifecycle management before outsourcing processes to other organizations, Rotman said.

“It sounds very simple, it sounds basic. But unfortunately, a lot of organizations don’t always understand what types of information they collect and how the information is stored and shared with third parties. And you need to understand all of that before you can turn to a third party for any type of assurance,” Rotman said.

“Get your house in order first, before you transfer information. After you have your house in order, you can really turn to the service provider to say ‘How will you demonstrate that you also have your privacy house in order?’”

SOC 1, 2 and 3

Service Organization Control (SOC) reports are now replacing the SAS 70. Three types of reports are now available depending on an organization’s needs. While the SOC 1 report replaces the SAS 70 directly for financial reporting support, the SOC 2 and SOC 3 are based upon the Trust Services Principles of  security, availability, confidentiality, processing integrity and privacy—which allow organizations to meet the specific operational and compliance needs that apply to them, including security and privacy concerns related to the cloud.

SOC 1 focuses on internal control over financial reporting and is generally used when the service provider performs financial transaction processing. SOC 2 is a detail report like the SOC 1 and focuses on security, availability, processing integrity, confidentiality and/or privacy related to non-financial systems. Hannmann suspects that the government will shortly begin using SOC 2 as a regulatory tool.

“From a regulatory perspective, I can see that SOC 2 is going to be very popular and start to be visible,” he said.

SOC 3 is intended for those users who do not have a need for the detailed knowledge necessary for a SOC 2 report. It consists of a short report containing the auditor’s opinion and brief description of the system in scope. A website seal to demonstrate a level of compliance and proficiency can be posted to a servicer’s website upon receiving a successful “unqualified” SOC 3 report opinion. As such, it’s becoming a marketing tool for organizations aiming to demonstrate competency and compliance.

“So if your company is very proud of security…you now have a tool to reach out and say, ‘Hey, come to me.’ For an independent party to say that your system is reliable for processing information in terms of security and accuracy (processing integrity and availability), that’s a pretty strong statement,” Hannmann said.

In the end, accountability starts with the data controller, according to Rotman.

“To demonstrate trust around the value chain is a problem companies have been facing for a long time,” he said, adding that due diligence, contractual agreements and compliance monitoring can help to mitigate third-party risks. “You can outsource data, you can outsource services, but you cannot outsource accountability. That always stays within the organization that collects the information.”


IAPP KnowledgeNet events take place in cities around the world, and they are free and open to all IAPP members. For a list of upcoming KnowledgeNet events, visit here. To volunteer to host a KnowledgeNet event, contact us at knowledgenet@privacyassociation.org. 


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»