The SAS 70 Report was recently changed by the American Institute of Certified Public Accountants (AICPA). Mainly, they added new guidance that relates specifically to service organizations. This change came into force on June 15, 2011 and professionals like Scott Tominaga.
Originally, the SAS 70 Report was designed to ensure auditors could communicate about assertions in financial statements. However, it quickly started to become almost like a certification, designating availability, security, and more in the world of financial reporting. Because there are no significant risks in organizations, many of which are outside of financial reporting, new reports were needed as well.
What the AICPA decided to do, was create an alternative so that those who use third-party services could remain focused on the key issues at hand, being:
- Processing integrity.
All of these issues were place into the new Service Organizational Control (SOC) reports. Three versions of them now exist, SOC 1 through 3, and each has a unique purpose.
Three SOC Reports Explained by Scott Tominaga
- SOC 1
This report looks at the controls within service organizations as this relates to the entities of users who have internal control of financial reporting. SOC 1 is compliant with the Statement on Standards for Attestation Engagements (SSAE) 16.
- SOC 2
This report also looks at the control within service organizations. However, this report is specific to privacy, confidentiality processing integrity, availability, and/or security. This follows a number of set criteria and determines whether organizational operations are fully compliant.
- SOC 3
This report is different because, while it still relates to service organizations, it is the SysTrust report. This means it is similar to SOC 2, but it focuses particularly on basic trust services. It does not look into more details and tests. The SOC 3 can also be added as a seal on a website.
How Reporting Has Changed
Because of the new standards, reporting contents have changed significantly, as has the process itself. This means that organizations can now set themselves apart as being more relevant to their clients. Any service organization must describe what their system is, and this goes into far more details than the original SAS 70 did. In fact, it must include details about:
- Transaction classes.
- A written assertion that indicates management is fully responsible for how the system works and according to which evaluation criteria.
How to Choose a SOC Report
When you choose a SOC, you have to consider who will read it, what they will use the report for, and why. Ask yourself whether auditors will require the results and whether they need to know what test results you had and what your controls were. You need to know, basically, how much detail they require. Transitioning from SAS 70 to SOC is quite a lot of work, but that is why there are professionals like Scott Tominaga who are there to explain it all.