Alter Has Arrived
What continues to be often known as a "SAS 70 Report" has long been refreshed from the American Institute of Licensed Community Accountants (AICPA) with new steerage for reporting on service companies. This direction changed SAS 70 for experiences masking periods ending on or following June 15, 2011.
The initial intent of the SAS 70 report was to talk to auditors about financial statement assertions. As time passes, SAS 70 morphed right into a advertising Device; a "certification" for protection, availability, together with other assertions unrelated to controls around financial reporting. As organizations have grown to be progressively worried about challenges further than economical reporting, a new suite of reviews was needed to satisfy the wants of those businesses.
The AICPA's reaction was to supply choice alternatives for experiences meant to provide users of third-celebration solutions ease and comfort close to Individuals operational controls appropriate to them: protection, processing integrity, availability, confidentiality and privateness. These remedies are encompassed in The brand new AICPA Provider Group Management (SOC) stories. In lieu of acquiring just one report suitable for money reporting, there now are a few variations of a Assistance Group Regulate Report---SOC one, SOC two, and SOC three studies, Every single serving a definite function:
SOC 1: Report on Controls at a Services Business Appropriate to User Entities' Internal Control over Financial Reporting presents consolation all-around economical reporting and transaction expert services; fundamentally, what a SAS 70 was at first intended to do. SOC one engagements are carried out in accordance with Statement on Requirements for Attestation Engagements (SSAE) 16, Reporting on Controls in a Company Group.
SOC two: Report on Controls at a Support Business Related to Security, Availability, Processing Integrity, Confidentiality and/or Privateness makes use of predefined standards and addresses one or more from the 5 vital process characteristics of safety, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements handle controls for the Group that relate to functions and compliance.
SOC 3: SysTrust for Service Organizations Report takes advantage of the exact same characteristics since the SOC 2 report. The SOC three report is usually a normal-use report that provides only the auditor's report on whether the procedure realized standard have confidence in solutions criteria, leaving out the specific technique and screening descriptions. The SOC 3 report also permits the Corporation to utilize the SOC 3 seal on its Web site.
Key Improvements to Reporting
The brand new specifications change the written content on the report, in addition to the reporting procedure for the assistance Firm. The needed alterations present your Firm an opportunity to differentiate and to deliver enhanced relevancy in your clients. Company businesses are required to deliver an outline in the system. This description is a lot more encompassing than the description of the controls expected by a SAS 70. The new description provides more info connected with the individuals, procedures, and technological become soc 2 compliant innovation in place to obtain administration's Manage targets. The description also consists of more info within the classes of transactions processed. A different modify is the prerequisite that the Corporation offer a written assertion That may be a crucial ingredient on the report. The assertion by management will point out its duty with the precision of the description with the method as well as evaluation conditions for The idea of making the assertion.
Picking out Your SOC Report
When choosing a Company Firm Control Report (a SOC report), take into account your audience. Who will probably use this report and for what objective? Does your viewers consist of auditors who have to have specifics regarding your controls as well as the test benefits, or will a general-use report satisfy their needs?
While you transition from the SAS 70 report to a whole new SOC report, you will also want to consider your technique and the types of transactions you approach. Answers to those questions may help make sure you put together the SOC report which most closely fits your Business.