Exactly what has actually been understood as a “SAS 70 Report” has been refreshed by the American Institute of Certified Public Accountants (AICPA) with new support of SSAE 16 for stating on service companies. This support changed SAS 70 for reports covering durations ending on or after June 15, 2011. The first intent of a SAS 70 report was to connect with auditors concerning financial statement assertions. Over time, SAS 70 morphed into an advertising tool; an “accreditation” for safety, availability, as well as other assertions unconnected to controls over economic reporting. As organizations have come to be progressively worried pertaining to risks further than economic reporting, a brand-new suite of studies was should meet the needs of these companies.
The AICPA’s response was to supply alternative answers for studies designed to supply individuals of third-party Services pleasure around those operational controls relevant to them: protection, refining integrity, availability, confidentiality as well as personal privacy. These Services are involved in the brand-new AICPA Service Organization Command (SOC) studies. Rather than having one report produced for monetary reporting, there currently are three variations of a Service Organization Control Report– SOC 1, SOC 2, and SOC 3 studies, each serving a distinct function:
SOC 1: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting offers pleasure around financial reporting as well as transaction Services; practically, exactly what a SAS 70 was originally made to do. SOC 1 proposals are carried out in accordance with Statement on Standards for Attestation Engagements SSAE 16, Reporting on Controls at a Service Organization.
SOC 2: Report on Controls at a Service Organization Relevant to Safety, Accessibility, Processing Stability, Privacy and/or Personal privacy utilizes predefined requirements and deals with one or more of the five vital system characteristics of safety, accessibility, processing integrity, confidentiality, as well as privacy. SOC 2 involvements address controls at the company that connect to affairs and compliance.
SOC 3: SysTrust for Service Organizations Report utilizes the same attributes as the SOC 2 report. The SOC 3 report is a general-use report that delivers just the auditor’s report on whether the machine accomplished simple depend on Services requirements, overlooking the detailed system and screening descriptions. The SOC 3 report also allows the organization to utilize the SOC 3 seal on its site.
The new requirements transform the material of the report, as well as the reporting procedure for the Service Organization. The required modifications supply your company a chance to differentiate as well as to offer increased relevancy to your clients. Service companies are called for to supply a summary of the machine. This description is much more encompassing than the description of the commands required by a SAS 70. The new description supplies even more info connected to people, processes, and modern technology in location to achieve administration’s control objectives. The description additionally includes even more data on the courses of deals processed. Another change is the requirement that the organization supply a written assertion that is a fundamental part of the report. The assertion by management will definitely show its responsibility for the precision of the description of the machine as well as the assessment requirements for the basis of making the assertion.
When selecting a Service Company Command Report (a SOC report), consider your market. That is visiting use this report and for what objective? Does your crowd include auditors that must particulars about your controls as well as the exam results, or will a general-use report fulfill their requirements? As you transition from a SAS 70 report to a brand-new SOC report, you will even desire to consider your machine as well as the kinds of transactions you procedure. Answers to these inquiries will certainly aid guarantee you prep the SOC report which best fits your company.