|
Trust
Services Principles & Criteria
Since
the early 1990s, SAS 70 has filled a critically important
role in minimizing the over auditing of service organizations
whose output affects their clients’ financial statements.
In part because of its success in this role, and in part
because of a lack of clear alternatives, demand for SAS
70 has grown far beyond its limited scope and purpose to
the point where SAS 70 reports are oftentimes requested
when they are not appropriate for the circumstances.
Many
service organizations presently completing SAS 70 reports
will find they need to significantly change their reporting
to comply with the new AICPA SOC reporting approach. Most
service organizations will find they need to increase the
transparency of the systems description and revise their
controls to meet the underlying requirements for risk based
design of controls. Service organizations who are presently
preparing SAS 70 reports where their services do not affect
their users’ internal control over financial reporting
will need to make what could be fundamental changes to their
reporting approach.
The
new AICPA SOC reporting approach recognizes that there is
not a one-sized-fits-all approach for service organization
reporting and enables service providers more clear alternatives
to provide reporting that both meets their internal management
needs and the reporting needs of their users (and prospective
users). SOC recognizes that service organization’s
outputs affect not just financial risks (e.g., SAS 70),
but also operational and compliance related risks of their
users. Under the SOC reporting approach, users of service
organizations can expect to receive reports that better
align to their needs to know how the service is being delivered
and that the controls the service organization has deployed
are adequate to protect their business interests.
The
following provides a summary of each of the three SOC reporting
alternatives recently announced by the AICPA:
•
AICPA SOC 1 is the branding for reports delivered
under the recently released SSAE 16 that replaces SAS
70. SOC 1 is designed to conform to international standards
and has heightened requirements in the form of risk based
design of controls, and system transparency. Like SAS
70, SOC 1 is only applicable in situations where a service
organization’s controls are likely to be relevant
to user entities’ internal control over financial
reporting (“ICFR”). As has been the case with
SAS 70 reports, these reports are available in both Type
I and Type II formats, where Type II covers a period of
time, usually six months or more, to represent testing
for operational effectiveness.
Click
here for more information on SOC 1 for SSAE 16 / SAS 70
•
AICPA SOC 2 is a Report on Controls at a Service
Organization relevant to Security, Availability, Processing
Integrity, Confidentiality, and/or Privacy. The SOC 2
report is structured similar to the SOC 1 report in that
management of the Service Organization provides a detailed
assertion addressing the system that delivers the services
represented by the scope of services covered by the report,
as well as the controls designed and deployed to support
the system. The control structure for the SOC 2 is based
on pre-defined control objectives for one or more of the
SOC 2 control domains (Security, Availability, Processing
Integrity, Confidentiality, and/or Privacy). Under SOC
2, the Service Organization tailors their design of control
activities to align to the specific circumstances related
to services delivered to those user entities for which
the report is intended. The SOC 2 report also is available
in both Type I and Type II formats.
Click
here for more information on SOC 2 for Security, Confidentiality,
Processing Integrity, Availability, and Privacy
•
AICPA SOC 3 is what was known as a Trust Services
Report. This is a more general purpose report than that
represented by a SOC 2. The auditor’s opinion in
this report is simply related to the Service Organization’s
deployment of the specific criteria represented by one
or more of the Trust Services principles for Security,
Confidentiality, Processing Integrity, Availability, or
Privacy. As opposed to a SOC 2 report, which includes
Control Objectives related to specific services, the SOC
3 report strictly addresses the criteria covered by one
or more of the Trust Services principles for Security,
Confidentiality, Processing Integrity, Availability, or
Privacy. This report is more general purpose and less
detailed than a SOC 2 report, but is still expected to
meet the needs of many users who need both a strong control
structure to meet internal management needs and a reporting
framework that provides their clients and prospects independent
assurance regarding the deployment of these controls.
Click
here for more information about SOC 3 for Trust Services
Principles and Criteria
HA&W
has the skills and experience to deliver cost-effective,
pragmatic solutions to your risk management and reporting
needs. When SOC 1 reports to address SSAE 16 / SAS 70 are
appropriate, we have deep experience in accounting risk
management and technology controls, so we can provide direction
to ensure your controls are meaningful to protecting your
business interests and fulfilling the reporting needs of
your clients. We have provided SAS 70 reports to many clients
whose services are delivered to Fortune 100 clients. When
SOC 1 reports may not be appropriate, we can provide guidance
and direction as to the most cost-effective options for
use of SOC 2 and SOC 3 reports.
Our
personnel are in leadership positions with the AICPA information
technology community, and we help influence standards and
regularly lead training at national AICPA conferences on
the subjects of SOC reporting for SSAE 16 and SAS 70, and
other aspects of IT Auditing and risk management.
•
For more information, contact Dan
Schroeder.
|
