SAS 70 or SSAE 16 or SOC - Which Report In case you Use Change Has Arrived
What's been termed as a "SAS 70 Report" continues to be refreshed with the American Institute of Certified Public Accountants (AICPA) with new guidance for reporting on service organizations. This guidance replaced SAS 70 for reports covering periods ending on or after June 15, 2011.
SSAE 16The original intent of an SAS 70 report were to speak to auditors regarding financial statement assertions. After a while, SAS 70 morphed right marketing device; a "certification" for security, availability, and various assertions unrelated to controls over financial reporting. As organizations have grown to be increasingly focused on risks beyond financial reporting, a brand new suite of reports was had to meet the needs these organizations.
The AICPA's response would have been to offer alternative solutions for reports intended to provide users of third-party services comfort around those operational controls tightly related to them: security, processing integrity, availability, confidentiality and privacy. These solutions are encompassed from the new AICPA Service Organization Control (SOC) reports. Rather then having one report intended for financial reporting, there now are three versions of a Service Organization Control Report---SOC 1, SOC 2, and SOC 3 reports, each serving a distinct purpose:
SOC 1: Set of Controls for a Service Organization Based on User Entities' Internal Control over Financial Reporting provides comfort around financial reporting and transaction services; essentially, exactly what a SAS 70 was originally built to do. SOC 1 engagements are finished as per Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at the Service Organization.
SOC 2: Directory Controls at a Service Organization Highly relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy utilizes predefined criteria and covers several in the five key system features of security, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements address controls with the organization that report to operations and compliance.
SSAE 16 PreparationSOC 3: SysTrust for Service Organizations Report uses the identical attributes since the SOC 2 report. The SOC 3 report is often a general-use are convinced that provides merely the auditor's set of regardless of if the system achieved basic trust services criteria, taking away the detailed system and testing descriptions. The SOC 3 report also permits this company to utilize the SOC 3 seal on its website.
Key Changes to Reporting
The latest standards affect the content of the report, as well as the reporting process with the service organization. The mandatory changes provide your online business to be able to differentiate also to provide increased relevancy on your clients. Service organizations need to give you a description in the system. This description is a lot more encompassing compared to the description of your controls required by a SAS 70. The brand new description provides much more information associated with the individuals, processes, and technology in position to realize management's control objectives. The description can also include a lot of the classes of transactions processed. Another change could be the requirement how the organization offer a written assertion it really is a key component of your report. The assertion by management will indicate its responsibility for the accuracy from the description of the system as well as the evaluation criteria with the foundation making the assertion.
SSAE 16 ReadinessSelecting Your SOC Report
When selecting a Service Organization Control Report (a SOC report), consider your audience. Who is going make use of this report and then for what purpose? Does your audience include auditors who are required information about your controls as well as test results, or will a general-use report fulfill their needs?
When you transition coming from a SAS 70 report to the latest SOC report, you'll also consider your digestive system as well as varieties of transactions you process. Techniques to these questions will assist make sure you prepare the SOC report which most closely fits your company.