Change Has Arrived
What has been known as a “SAS 70 Report” has been refreshed by the American Institute of Certified Public Accountants (AICPA) with new guidance for reporting on service organizations. This guidance replaced SAS 70 for reports covering periods ending on or after June 15, 2011.
The original intent of a SAS 70 report was to communicate with auditors concerning financial statement assertions. Over time, SAS 70 morphed into a marketing tool; a “certification” for security, availability, and other assertions unrelated to controls over financial reporting. As organizations have become increasingly concerned about risks beyond financial reporting, a new suite of reports was needed to meet the needs of these organizations.
The AICPA's response was to offer alternative solutions for reports designed to provide users of third-party services comfort around those operational controls relevant to them: security, processing integrity, availability, confidentiality and privacy. These solutions are encompassed in the new AICPA Service Organization Control (SOC) reports. Rather than having one report designed for financial reporting, there are now three versions of a Service Organization Control Report — SOC 1, SOC 2, and SOC 3 reports, each serving a distinct purpose:
SOC 1: Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting provides comfort around financial reporting and transaction services; essentially, what a SAS 70 was originally designed to do. SOC 1 engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization.
SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and / or Privacy utilizes predefined criteria and covers one or more of the five key system attributes of security, availability, processing integrity, confidentiality, and privacy . SOC 2 engagements address controls at the organization that relate to operations and compliance.
SOC 3: SysTrust for Service Organizations Report uses the same attributes as the SOC 2 report. The SOC 3 report is a general-use report that provides only the auditor's report on whether the system achieved basic trust services criteria, leaving out the detailed system and testing descriptions. The SOC 3 report also permits the organization to use the SOC 3 seal on its website.
Key Changes to Reporting
The new standards change the content of the report, as well as the reporting process for the service organization. The required changes provide your organization an opportunity to differentiate and to provide increased relevancy to your clients. Service organizations are required to provide a description of the system . This description is more encompassing than the description of the controls required by a SAS 70. The new description provides more information related to the people, processes, and technology in place to achieve management's control objectives. The description also includes more information on the classes of transactions processed. Another change is the requirement that the organization provide a written assertion that is a key component of the report. The assertion by management will indicate its responsibility for the accuracy of the description of the system and the assessment criteria for the basis of making the assertion.
Selecting Your SOC Report
When selecting a Service Organization Control Report (a SOC report), consider your audience. Who is going to use this report and for what purpose? Does your audience include auditors who need details about your controls and the test results, or will a general-use report fulfill their needs?
As you transition from a SAS 70 report to a new SOC report, you will also want to consider your system and the types of transactions you process. Answers to these questions will help ensure you prepare the SOC report which best fits your organization.