New SOC Reports for Service Organizations Replace SAS 70 Reports
How it impacts CPAs.
February 7, 2011
Like all other AICPA auditing standards, SAS No. 70 -- Service Organizations was revisited as part of the Auditing Standards Board’s Clarity Project, which will be completed this year. In looking at the guidance on an examination of a service organization’s financial controls, the Accounting Standards Board (ASB) decided to move it from an audit standard to an attestation standard and released Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization.
As a result of this change and other factors, AICPA guidance has evolved into a framework of three Service Organization Control (SOC) reports that address marketplace demands and uphold the profession’s commitment to the public interest where service organizations are concerned. New SOC report guidance will address the misuse of SAS 70 reports and illustrate alternative reporting options that will enable service organizations to demonstrate reliability and trust in their services to current and potential customers. At the same time, the appropriate standard or guidance to use and the resulting report, will be decided upon by the CPA and the client to ensure the standards are applied and used correctly.
SSAE 16 Produces SOC 1 Report
An auditor who audits the financial statements of a user entity is known as a user auditor. In auditing a user entity’s financial statements, the user auditor needs to obtain evidence to support assertions in the user entity’s financial statements that are affected by information provided by the service organization. In some cases, the user entity is able to implement its own controls over the service performed by the service organization. In other cases, the user entity relies on the service organization to initiate, execute and record the transactions. In the latter case, it may be necessary for a user auditor to obtain information about the effectiveness of controls at the service organization that affect the quality of the information provided to user entities by obtaining a service auditor’s report.
Service auditors’ engagements that were previously performed under SAS 70 will now be performed under SSAE 16. A CPA may provide two types of service auditor’s reports (a type 1 report or a type 2 report). In both reports, the service auditor expresses an opinion on whether management’s description of its system is fairly presented and whether the controls included in the description are suitability designed. A type 2 report also contains an opinion on whether the controls were operating effectively. These reports have been designated as SOC 1 reports.
SOC 2, SOC 3 Examine Non-Financial Controls
The explosion of new technologies such as cloud computing and the emergence of global business opportunities has led more and more organizations to outsource certain functions related to their business that do not necessarily involve information about financial controls. The new SOC 2 report (Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy) enables service organizations to get detailed examinations of controls other than those over financial reporting: security, availability, processing integrity, confidentiality or privacy.
Importantly, the new SOC 3 report (Trust Services Report for Service Organizations)
covers the same subject matter as SOC 2 but provides a short-form publicly available report that service organizations can use for marketing purposes. SAS 70 reports, as well as SOC 1 reports, were never intended for use by anyone other than the service organization’s or user entity’s auditor or the management of either company.
Addressing the Marketplace
In the past, several companies have incorrectly used the terms ‘SAS 70 certified’ or ‘SAS 70 compliant’ to imply that the examination covered more than internal controls over financial reporting. In other cases, SAS 70 was being improperly used to obtain assurance regarding compliance and operations. The report also was being made available to potential customers, although it was never meant for that purpose. This new series of reports will fix those problems in the marketplace while answering the call for services that CPAs perform.
Together, you and your clients will decide which engagement and resulting SOC report is most appropriate and which of the three will help the service organization demonstrate reliability and trust to current and potential customers. SSAE 16 is effective for service auditors’ reports for periods ending on or after June 15, 2011, with early implementation permitted. Guidance on SOC 2 and SOC 3 will be available by July. A new SOC Alert summarizes the three reporting options to help CPAs work with clients now. More information, including a free downloadable brochure, is available from www.aicpa.org/SOC.