Change Is here
What's been referred to as a "SAS 70 Report" has been refreshed by the American Institute of Cpas (AICPA) with new guidance for reporting on service organizations. This guidance replaced SAS 70 for reports covering periods ending on or after June 15, 2011.
The first intent on the SAS 70 report ended up being speak with auditors regarding financial statement assertions. With time, SAS 70 morphed right marketing strategy; a "certification" for security, availability, along with other assertions unrelated to controls over financial reporting. As organizations have grown increasingly worried about risks beyond financial reporting, a fresh suite of reports was needed to meet the needs of them organizations.
The AICPA's response would be to offer alternative solutions for reports built to provide users of third-party services comfort around those operational controls tightly related to them: security, processing integrity, availability, confidentiality and privacy. These solutions are encompassed from the new AICPA Service Organization Control (SOC) reports. As opposed to having one report intended for financial reporting, there now are three versions of the Service Organization Control Report---SOC 1, SOC 2, and SOC 3 reports, each serving a definite purpose:
SOC 1: Set of Controls for a Service Organization Tightly related to User Entities' Internal Treatments for Financial Reporting provides comfort around financial reporting and transaction services; essentially, exactly what a SAS 70 was originally created to do. SOC 1 engagements are executed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls for a Service Organization.
SOC 2: Directory Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy utilizes predefined criteria and covers several in the five key system features of security, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements address controls at the organization that relate to operations and compliance.
SSAE 16 Preparation
SOC 3: SysTrust for Service Organizations Report uses a similar attributes because the SOC 2 report. The SOC 3 report is actually a general-use report that provides the auditor's directory if the system achieved basic trust services criteria, removing the detailed system and testing descriptions. The SOC 3 report also permits the business to implement the SOC 3 seal on its website.
Key Changes to Reporting
The revolutionary standards modify the content on the report, in addition to the reporting process to the service organization. The mandatory changes provide your small business an opportunity to differentiate and provide increased relevancy in your clients. Service organizations are needed to offer a description on the system. This description is a bit more encompassing than the description on the controls essental to a SAS 70. The latest description provides much more information in connection with the people, processes, and technology into position to obtain management's control objectives. The description can also include more information on the classes of transactions processed. Another change would be the requirement which the organization give you a written assertion that's a key element from the report. The assertion by management will indicate its responsibility for your accuracy on the description with the system plus the evaluation criteria for your first step toward making the assertion.
SSAE 16 Readiness
Selecting Your SOC Report
When selecting a website Organization Control Report (a SOC report), consider your audience. Who's going to work with this report and for what purpose? Does your audience include auditors who are required information regarding your controls plus the test results, or will a general-use report fulfill their demands?
When you transition from the SAS 70 are accountable to a whole new SOC report, you'll also be thinking about one's body along with the sorts of transactions you process. Techniques to these questions can help make certain you prepare the SOC report which most closely fits your business.