Outsourcing and cloud computing service engagements are fraught
with financial, security and other risks, especially if dealing
with an unproven service provider. Obtaining a third party
assurance report with respect to a service provider's internal
controls can provide some comfort. However, customers are often
confused about what kind of assurance report they should
Canadian Standard on Assurance Engagements 3416 (CSAE 3416),
Reporting on Controls at a Service Organization, is the Canadian
accounting standard for reviewing and reporting on controls at a
service organization. It is issued by the Auditing and Assurance
Standards Board (AASB) and is equivalent to the Statement on
Standards for Attestation Engagements (SSAE) No. 16, which is the
standard in the United States, and is substantially similar to the
International Standard on Assurance Engagements (ISAE) No.
SOC 1, 2 and 3
It is important to note that CSAE 3416 is not a report itself. A
report under the CSAE 3416 standards is a Service Organization
Control (SOC) 1 report, which is the successor to the Canadian
Institute of Chartered Accountants (CICA), Section 5970 report. SOC
1 reports have a limited purpose. They only address internal
controls over financial reporting.
There are two other categories of SOC reports available, SOC 2
and SOC 3, which are much different in scope than SOC 1 reports.
They report on controls related to security, availability,
processing integrity, confidentiality and/or privacy based on broad
statements of objectives called "trust services
A SOC 2 report is a "restricted report" for the use a
specific audience, such as a particular customer of a service
In contrast, a SOC 3 report is intended for general release
(e.g. posted on a service provider's website with a SysTrust
seal or shared with prospective customers generally) and is a short
form report that does not contain the same level of detail as a SOC
2 report. Unlike a SOC 2 report, a SOC 3 report does not contain a
description of the service provider's system of controls
prepared by its management, nor does it include any auditor's
tests or test results. These elements are typically needed for a
customer to determine how it may be affected by a service
Type I and Type II SOC Reports
There are two types of SOC reports. Type I reports evaluate
controls at a point in time while Type II reports evaluate controls
over a period of time. Type II reports include the examination and
confirmation steps involved in a Type I examination plus an
evaluation of the effectiveness of the controls for a period of at
least six calendar months.
When to obtain a SOC Report
Generally, a third party assurance report is needed when the
services provided by the third party service provider have a
material impact on a customer's internal controls (in
particular, internal controls over financial reporting (ICFR)). SOC
reports can be very helpful when conducting due diligence on
prospective service providers and for monitoring the risk of an
organization's outsourcing arrangements on an ongoing
What type of SOC Report to Obtain
Customers that have their financial statements audited and
outsource any key processes that affect their financial statements
will likely require a CSAE 3416 (or SSAE 16) audit and SOC 1 report
to ensure compliance with auditing requirements and securities
Since SOC 1 reports only address internal controls over
financial reporting, they may not be adequate for many customers of
outsourcing and cloud services. Customers should, in addition to
requiring the service provider to deliver an annual CSAE 3416 SOC 1
Type II report, consider requiring the service provider to deliver
an annual SOC 2 Type II report where there are any concerns about
personal and confidential information protection or system
security, processing integrity or availability. This is often the
case with SaaS, data centre and managed services engagements.
If a service provider already makes a SOC 3 report generally
available to its customers or responsibility for the cost of a SOC
2 report becomes a heated issue, then a SOC 3 report may be an
adequate alternative to a SOC 2 report.
Unfortunately, reasonable accommodation for employees in the workplace continues to be the source of significant litigation and even today we continue to see outrageous examples of employers behaving badly.
We are now beginning to see reported cases involving charges and subsequent fines laid against employers for failing to provide information, instruction and supervision to protect a worker from workplace violence.
On October 13, 2016, the Supreme Court of Canada denied leave to appeal an Ontario Court of Appeal decision which ordered an employer to pay a former employee 37 months of salary and benefits following termination.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).