| SSAE
16 and Service Organization Control (SOC) reporting approach
replaces SAS 70
Many
service organizations presently completing SAS 70 reports
will find they need to significantly change their reporting
to comply with the new AICPA SOC reporting approach. Most
service organizations will find they need to increase the
transparency of the systems description and revise their
controls to meet the underlying requirements for risk based
design of controls. Service organizations who are presently
preparing SAS 70 reports where their services do not affect
their users' internal control over financial reporting will
need to make what could be fundamental changes to their
reporting approach.
Since
the early 1990s, SAS 70 has filled a critically important
role in minimizing the over auditing of service organizations
whose output affects their clients' financial statements.
In part because of its success in this role, and in part
because of a lack of clear alternatives, demand for SAS
70 has grown far beyond its limited scope and purpose to
the point where SAS 70 reports are oftentimes requested
when they are not appropriate for the circumstances.
The
new AICPA SOC reporting approach recognizes that there is
not a one-size-fits-all approach for service organizations
reporting and enables service providers more clear alternatives
to provide reporting that both meets their internal management
needs and the reporting needs of their users (and prospective
users.) SOC recognizes that a service organization's outputs
affect not just financial risks (e.g., SAS 70), but also
the operational and compliance related risks of their users.
Under the SOC reporting approach, users of service organizations
can expect to receive reports that better align with their
needs to know how the service is being delivered and that
the controls the service organization has deployed are adequate
to protect their business interests.
The
following provides a summary of each of the three SOC reporting
alternatives recently announced by the AICPA:
- AICPA
SOC 1 is the branding for reports delivered under the
recently released SSAE 16 that replaces SAS 70. SOC 1
is designed to conform to international standards, and
has heightened requirements in the form of risk based
design of controls, and system transparency. Like SAS
70, SOC 1 is only applicable in situations where a service
organization's controls are likely to be relevant to user
entities' internal control over financial reporting ("ICFR").
As has been the case with SAS 70 reports, these reports
are available in both Type I and Type II formats, where
Type II covers a period of time, usually six months or
more, to represent testing for operational effectiveness.
Click
here for more information on SOC 1 for SSAE 16 / SAS 70
- AICPA
SOC 2 is a Report on Controls at a Service Organization
relevant to Security, Availability, Processing Integrity,
Confidentiality, and/or Privacy. The SOC 2 report is structured
similar to the SOC 1 report in that management of the
Service Organization provides a detailed assertion addressing
the system that delivers the services represented by the
scope of services covered by the report, as well as the
controls designed and deployed to support the system.
The control structure for the SOC 2 is based on pre-defined
control objectives for one or more of the SOC 2 control
domains (Security, Availability, Processing Integrity,
Confidentiality, and/or Privacy). Under SOC 2, the Service
Organization tailors their design of control activities
to align to the specific circumstances related to services
delivered to those user entities for which the report
is intended. The SOC 2 report also is available in both
Type I and Type II formats.
Click
here for more information on SOC 2 for Security, Confidentiality,
Processing Integrity, Availability, and Privacy
- AICPA
SOC 3 is what was known as a Trust Services Report. This
is a more general purpose report than that represented
by a SOC 2. The auditor's opinion in this report is simply
related to the Service Organization's deployment of the
specific criteria represented by one or more of the Trust
Servicesprinciples for Security, Confidentiality, Processing
Integrity, Availability, or Privacy. As opposed to a SOC
2 report, which includes Control Objectives related to
specific services, the SOC 3 report strictly addresses
the criteria covered by one or more of the Trust Services
principles for Security, Confidentiality, Processing Integrity,
Availability, or Privacy. This report is more general
purpose and less detailed than a SOC 2 report, but is
still expected to meet the needs of many users who need
both a strong control structure to meet internal management
needs and a reporting framework that provides their clients
and prospects independent assurance regarding the deployment
of these controls.
Click
here for more information about SOC 3 for Trust Services
Principles and Criteria
|
