SAS 70 or SSAE sixteen or SOC - Which Report Should You Use?
Adjust Has ArrivedWhat has actually been referred to as a "SAS 70 Report" has become refreshed via the American Institute of Certified Public Accountants (AICPA) with new direction for reporting on assistance organizations. This advice replaced SAS 70 for studies masking durations ending on or after June 15, 2011.
The original intent of a SAS 70 report was to talk to auditors pertaining to economical statement assertions. As time passes, SAS 70 morphed into a advertising and marketing Device; a "certification" for stability, availability, and other assertions unrelated to controls more than economic reporting. As companies became ever more worried about threats beyond financial reporting, a brand new suite of reviews was necessary to meet up with the demands of those businesses.
The AICPA's reaction was to provide alternate methods for reports designed to offer customers of third-celebration providers convenience all around People operational controls suitable to them: protection, processing integrity, availability, confidentiality and privateness. These alternatives are encompassed in The brand new AICPA Assistance Group Regulate (SOC) stories. In lieu of owning a person report suitable for economical reporting, there now are a few variations of the Assistance Group Regulate Report---SOC one, SOC two, and SOC three studies, Each and every serving a distinct goal:
SOC 1: Report on Controls at a Services Organization Related to User Entities' Internal Control around Monetary Reporting offers comfort around financial reporting and transaction services; effectively, what a SAS 70 was at first built to do. SOC one engagements are done in accordance with Statement on Specifications for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Corporation.
SOC two: Report on Controls in a Provider Business Related to Security, Availability, Processing Integrity, Confidentiality and/or Privacy makes use of predefined standards and addresses one or more from the five vital procedure characteristics of protection, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements address controls within the Group that relate to functions and compliance.
SOC 3: SysTrust for Services Organizations Report takes advantage of the exact same characteristics since the SOC 2 report. The SOC three report is usually a normal-use report that provides only the auditor's report on whether the procedure realized standard have confidence in solutions conditions, leaving out the specific technique and screening descriptions. The SOC 3 report also permits the Corporation to utilize the SOC 3 seal on its Web site.
Vital Improvements to Reporting
The brand new requirements change the information on the report, in addition to the reporting procedure with the assistance Firm. The needed variations present your Firm an opportunity to differentiate and to supply enhanced relevancy to the clientele. Service corporations are necessary to offer an outline on the method. This description is a lot more encompassing than The outline from the controls required by a SAS 70. The brand new description gives more information relevant to the folks, processes, and know-how in position to achieve administration's Handle objectives. The outline also consists of more info about the classes of transactions processed. A different modify is the prerequisite that do i need a soc 2 report the Corporation offer a written assertion That may be a crucial ingredient on the report. The assertion by management will point out its duty with the accuracy of the description on the method plus the evaluation conditions for The idea of making the assertion.
Deciding on Your SOC Report
When choosing a Assistance Business Command Report (a SOC report), contemplate your audience. Who will probably use this report and for what purpose? Does your viewers include auditors who will need particulars regarding your controls and also the exam final results, or will a typical-use report fulfill their requires?
While you changeover from a SAS 70 report back to a fresh SOC report, additionally, you will want to contemplate your procedure and the categories of transactions you system. Solutions to those queries might help ensure you get ready the SOC report which best fits your Group.