 |
New Series of SOC Reports Replaces SAS 70
Reports
Since spring 2010, the AICPA has been informing CPAs about a transformation
of Statement on Auditing Standards No. 70, Service Organizations. The
next generation of service organization reports offers a series of reporting
options aimed at providing users with information they need about entity
controls that have been outsourced to a service organization. The three new
reports are called Service Organization Control ReportsSM, or
SOC reports for short.
In recent years, SAS 70 was being used improperly. Many service
organizations’ marketing materials claimed they were “SAS 70 certified” or
“SAS 70 compliant” when there never was such a designation. In addition,
many service organizations indicated that the SAS 70 audit examined
nonfinancial subject matter, such as security, availability, processing
integrity, privacy or confidentiality, when that was never an intent of the
standard.
To conform U.S. standards to international standards, the AICPA’s Auditing
Standards Board in April 2010 under its
Clarity Project issued a new attestation standard that superseded SAS
70’s guidance for service auditors. Furthermore, to alleviate past SAS 70
misunderstandings and to better meet market needs, two authoritative
attestation guides have been developed to assist with the new SOC
engagements, including a separate guide that illustrates the examination of
controls over nonfinancial areas.
Here are brief descriptions of the three new SOC reports:
-
The examination of controls that pertain to financial reporting at a user
organization has been moved to a new Statement on Standards for Attestation
Engagements,
SSAE 16 – Reporting on Controls at a Service Organization,
which results in a SOC 1SM Report. This report examines controls at a
service organization that impact a user entity’s controls over financial
reporting. This report is to be used only by auditors of user organizations
and the management of user entities. SSAE 16 makes clear that the auditor is
required to obtain the same level of evidence and assurance as did the
former SAS 70 service auditor engagement. A new attestation guide,
Service
Organizations: Applying SSAE No. 16, Reporting on Controls at a Service
Organization, will help practitioners perform and report on these
engagements.
-
A SOC 2SM Report provides detail on controls at a service organization
covering security, availability, processing integrity, confidentiality or
privacy. It is generally a restricted-use report. To assist practitioners
with these report engagements, the AICPA developed a new authoritative
guide,
Reporting on Controls at a Service Provider Relevant to Security,
Availability, Processing Integrity, Confidentiality or Privacy. The SOC 2
guidance was designed to fill the market void where SAS 70 may have been
applied incorrectly.
-
SOC 3SM Reports are Trust Service examination reports. They cover the same
subject areas as SOC 2, but in a shortened version (about one page, in fact)
that can be used in a service organization’s promotional efforts. SOC 3SM
reports can be used as a marketing tool, with potential customers for
instance, to show they have appropriate controls in place to mitigate risks
on the nonfinancial subject matters.
SAS 70 audits for service organizations should no longer be performed as
SSAE 16 is effective for service auditors’ reports for periods ending on or
after June 15, 2011, with early application permitted. The new attestation
guides became effective upon issuance. So, all three reporting options for
service organizations are now illustrated, including the new reports for
examining and reporting on controls over security, availability, processing
integrity, confidentiality or privacy. Visit
aicpa.org/soc for more
information.
Top
|
 |
July/August 2011
 Printer Friendly Version
|
