What was formerly known as a “SAS 70 Report” has been refreshed by the American Institute of Certified Public Accountants (AICPA) with new guidance for reporting on service organizations. This guidance replaced SAS 70 for reports covering periods ending on or after June 15, 2011.
The original intent of a SAS 70 report was to communicate with auditors regarding financial statement assertions. Over time, SAS 70 morphed into a marketing tool; a “certification” for security, availability, and other assertions unrelated to controls over financial reporting. As organizations have become increasingly concerned about risks beyond financial reporting, a new suite of reports was needed to meet the needs of these organizations.
The AICPA’s response was to offer alternative solutions for reports designed to provide users of third-party services comfort around those operational controls relevant to them: security, processing integrity, availability, confidentiality and privacy. These solutions are encompassed in the new AICPA Service Organization Control (SOC) reports. Rather than having one report designed for financial reporting, there now are three versions of a Service Organization Control Report—SOC 1, SOC 2, and SOC 3 reports, each serving a distinct purpose:
The scope of SOC 1 report covers controls at a service organization relevant to a user entity’s internal control over financial reporting. A type 1 report focuses on a description of a service organization’s system and on the suitability of the design of its controls to achieve the related control objectives included in the description, as of a specified date. A type 2 report contains the same opinions as a type 1 report with the addition of an opinion on the operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. A type 2 report also includes a detailed description of the service auditor’s tests of controls and results. Use of the report is restricted to the management of the service organization, user entities, and user auditors.
The scope of SOC 2 reports cover controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy and uses the trust services criteria. SOC 2 is similar to SOC 1 in that a type 1 or type 2 report is available and includes a description of the service auditor’s tests of controls and results. Use of the report “generally” is restricted.
The scope of SOC 3 report covers the same subject matter as SOC 2, and does not include a description of the service auditor’s tests of controls and results. Also, the description of the system is less detailed than the description in a SOC 2 report. The use and distribution of the report is NOT restricted. Here’s a quick look at the users, content, and purpose of SOC reports.
Type 1 report– Report on management’s description of a service organization’s (SO) system and the suitability of the design of the controls. Report comprises of
a. Management’s descriptions of the service organizations systems
b. A written assertion by management of the service org about whether all the material respects and based on suitable criteria
i. Management’s description of a service organization’s system fairly presents the SO’s system that designed and implemented as of the specified date
ii. The control objectives stated in management’s description of the SO’s system were suitably designed to achieve those control objectives as of the specified date.
c. Service auditor’s Opinion on the matters in b(i) and b(ii)
Type 2 report– Reports on management’s description of a SO’s system and the suitability of the design and operating effectiveness of the controls. Report comprises of
a. Management’s descriptions of the service organizations systems
b. A written assertion by management of the service organization about whether all the material respects and based on suitable criteria
i. Management’s description of a service organization’s system fairly presents the SO’s system that designed and implemented as of the specified period
ii. The control objectives stated in management’s description of the SO’s system were suitably designed to achieve those control objectives
iii. The control objectives stated in management’s description of the SO’s system were operated effectively throughout the specified period to achieve those control objectives
c. Service auditor’s report that
i. Opinion on the matters in b(i) and b(iii)
ii. Includes a description of the tests of controls and the results thereof.
Fortidm helps its clients with SSAE 16 SOC 2 readiness assessment frequently and enable them to be better prepared for the SSAE 16 compliance. If you are looking for help in readiness assessment of SSAE 16 certification, please email me at [email protected]
Source: Compiled from AICPA