SAS 70 or SSAE sixteen or SOC - Which Report In the event you Use?
Change Has ArrivedWhat has long been referred to as a "SAS 70 Report" is refreshed with the American Institute of Accredited Community Accountants (AICPA) with new steerage for reporting on company businesses. This steerage replaced SAS 70 for reports masking durations ending on or immediately after June fifteen, 2011.
The initial intent of a SAS 70 report was to communicate with auditors concerning economic statement assertions. Eventually, SAS 70 morphed into a marketing and advertising Device; a "certification" for safety, availability, along with other assertions unrelated to controls above fiscal reporting. As companies are becoming progressively concerned about dangers beyond economical reporting, a completely new suite of stories was necessary to satisfy the requirements of these corporations.
The AICPA's response was to offer alternative methods for stories intended to offer users of 3rd-get together providers comfort all-around All those operational controls appropriate to them: security, processing integrity, availability, confidentiality and privateness. These answers are encompassed in The brand new AICPA Assistance Firm Manage (SOC) experiences. In lieu of possessing 1 report designed for money reporting, there now are three variations of a Service Group Handle Report---SOC one, SOC 2, and SOC 3 experiences, Every single serving a distinct intent:
SOC 1: Report on Controls at a Company Firm Relevant to User Entities' Interior Handle around Economic Reporting provides comfort and ease around fiscal reporting and transaction services; in essence, what a SAS 70 was originally meant to do. SOC 1 engagements are executed in accordance with Statement on Criteria for Attestation Engagements (SSAE) 16, Reporting on Controls in a Support Corporation.
SOC 2: Report on Controls in a Services Corporation Pertinent to Stability, Availability, Processing Integrity, Confidentiality and/or Privacy makes use of predefined criteria and addresses a number of from the 5 crucial process attributes of safety, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements handle controls in the Group that relate to functions and compliance.
SOC 3: SysTrust for Company Companies Report works by using exactly the same attributes given that the SOC 2 report. The SOC 3 report is often a common-use report that gives only the auditor's report on if the process accomplished standard trust providers standards, leaving out the in-depth method and screening descriptions. The SOC three report also become soc 2 compliant permits the Group to use the SOC 3 seal on its Web page.
Key Alterations to Reporting
The brand new standards change the articles of your report, along with the reporting approach with the services Firm. The essential changes offer your Firm an opportunity to differentiate and to supply enhanced relevancy on your clients. Services companies are necessary to give an outline of the method. This description is much more encompassing than The outline with the controls demanded by a SAS 70. The brand new description presents more information associated with the folks, procedures, and know-how set up to accomplish administration's control goals. The description also involves additional information about the courses of transactions processed. One more adjust would be the prerequisite the Firm supply a created assertion that is a vital ingredient with the report. The assertion by management will show its duty for the accuracy of the description with the process plus the evaluation criteria for The idea of making the assertion.
Selecting Your SOC Report
When deciding on a Provider Firm Manage Report (a SOC report), take into account your audience. Who is going to use this report and for what intent? Does your audience contain auditors who want facts regarding your controls as well as the check results, or will a general-use report fulfill their requirements?
As you changeover from the SAS 70 report to a new SOC report, you will also want to take into account your program and the types of transactions you procedure. Answers to those queries can help make sure you get ready the SOC report which best fits your Corporation.