What's been termed as a "SAS 70 Report" have been refreshed from the American Institute of Cpas (AICPA) with new guidance for reporting on service organizations. This guidance replaced SAS 70 for reports covering periods ending on or after June 15, 2011.

SSAE 16

The very first intent on the SAS 70 report was to contact auditors regarding financial statement assertions. As time passes, SAS 70 morphed right promotion; a "certification" for security, availability, and other assertions unrelated to controls over financial reporting. As organizations have grown to be increasingly worried about risks beyond financial reporting, a different suite of reports was needed to meet the needs these organizations.

The AICPA's response was to offer alternative solutions for reports designed to provide users of third-party services comfort around those operational controls based on them: security, processing integrity, availability, confidentiality and privacy. These solutions are encompassed inside the new AICPA Service Organization Control (SOC) reports. In lieu of having one report suitable for financial reporting, there now are three versions of an Service Organization Control Report---SOC 1, SOC 2, and SOC 3 reports, each serving a definite purpose:

SOC 1: Set of Controls in a Service Organization Strongly related User Entities' Internal Control over Financial Reporting provides comfort around financial reporting and transaction services; essentially, such a SAS 70 was originally made to do. SOC 1 engagements are executed relative to Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls for a Service Organization.

SOC 2: Set of Controls in the Service Organization Highly relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy utilizes predefined criteria and covers one or two with the five key system features of security, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements address controls within the organization that relate to operations and compliance.

SSAE 16 Preparation

SOC 3: SysTrust for Service Organizations Report uses a similar attributes for the reason that SOC 2 report. The SOC 3 report is a general-use report that provides the auditor's set of if the system achieved basic trust services criteria, taking away the detailed system and testing descriptions. The SOC 3 report also permits the organization to use the SOC 3 seal on its website.

Key Changes to Reporting

The modern standards alter the content in the report, plus the reporting process for your service organization. The essential changes provide your company to be able to differentiate and provide increased relevancy to the clients. Service organizations need to give a description on the system. This description is much more encompassing than the description of your controls required by a SAS 70. The modern description provides details associated with folks, processes, and technology in place to realize management's control objectives. The description comes with more information on the classes of transactions processed. Another change is the requirement which the organization provide a written assertion that's a key component from the report. The assertion by management will indicate its responsibility with the accuracy of your description of your system as well as evaluation criteria for the first step toward making the assertion.

SSAE 16 Readiness

Selecting Your SOC Report

When deciding on a website Organization Control Report (a SOC report), consider your audience. Who is going to work with this report as well as what purpose? Does your audience include auditors who are required info on your controls as well as test results, or will a general-use report fulfill the requirements?

While you transition coming from a SAS 70 report to a new SOC report, you will additionally consider the body plus the different types of transactions you process. Answers to these questions will help be sure to prepare the SOC report which best fits your small business.

What has been known as a "SAS 70 Report" have been refreshed through the American Institute of Certified Public Accountants (AICPA) with new guidance for reporting on service organizations. This guidance replaced SAS 70 for reports covering periods ending on or after June 15, 2011.

SSAE 16

The very first intent of a SAS 70 report would have been to communicate with auditors regarding financial statement assertions. Over time, SAS 70 morphed to a advertising device; a "certification" for security, availability, along with other assertions unrelated to controls over financial reporting. As organizations are becoming increasingly focused on risks beyond financial reporting, a brand new suite of reports was had to meet the needs these organizations.

The AICPA's response was to offer alternative solutions for reports made to provide users of third-party services comfort around those operational controls relevant to them: security, processing integrity, availability, confidentiality and privacy. These solutions are encompassed while in the new AICPA Service Organization Control (SOC) reports. Rather then having one report created for financial reporting, there now are three versions of a Service Organization Control Report---SOC 1, SOC 2, and SOC 3 reports, each serving a definite purpose:

SOC 1: Report on Controls with a Service Organization Tightly related to User Entities' Internal Treating Financial Reporting provides comfort around financial reporting and transaction services; essentially, just what a SAS 70 was originally designed to do. SOC 1 engagements are performed relative to Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at the Service Organization.

SOC 2: Directory Controls in a Service Organization Strongly related to Security, Availability, Processing Integrity, Confidentiality and/or Privacy utilizes predefined criteria so they cover a number from the five key system attributes of security, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements address controls for the organization that report to operations and compliance.

SSAE 16 Preparation

SOC 3: SysTrust for Service Organizations Report uses precisely the same attributes since the SOC 2 report. The SOC 3 report is really a general-use report that provides just the auditor's set of whether the system achieved basic trust services criteria, dropping the detailed system and testing descriptions. The SOC 3 report also permits the organization to work with the SOC 3 seal on its website.

Key Changes to Reporting

The new standards get a new content from the report, along with the reporting process for that service organization. The required changes provide your small business a chance to differentiate as well as provide increased relevancy in your clients. Service organizations must give a description in the system. This description is a lot more encompassing compared to description with the controls necessary for a SAS 70. The newest description provides more info related to the individuals, processes, and technology set up to obtain management's control objectives. The description also includes more information on the classes of transactions processed. Another change is definitely the requirement the organization provide a written assertion that is a key element with the report. The assertion by management will indicate its responsibility for that accuracy from the description in the system as well as the evaluation criteria for any foundation of making the assertion.

SSAE 16 Readiness

Selecting Your SOC Report

In choosing services Organization Control Report (a SOC report), consider your audience. Who's going to use this report and for what purpose? Does your audience include auditors who require specifics about your controls as well as test results, or will a general-use report fulfill their needs?

While you transition from a SAS 70 are accountable to a new SOC report, you'll want to think about your system and the sorts of transactions you process. Strategies to these questions might help be sure you prepare the SOC report which best suits your small business.