SAS 70 or SSAE 16 or SOC - Which Report Do you have to Use?
Alter Has ArrivedWhat is referred to as a "SAS 70 Report" has become refreshed because of the American Institute of Certified Public Accountants (AICPA) with new direction for reporting on assistance businesses. This steering changed SAS 70 for reports covering periods ending on or soon after June fifteen, 2011.
The first intent of the SAS 70 report was to communicate with auditors concerning economic statement assertions. After some time, SAS 70 morphed right into a advertising Device; a "certification" for protection, availability, together with other assertions unrelated to controls around financial reporting. As organizations have grown to be progressively worried about challenges further than economical reporting, a new suite of reports was needed to satisfy the wants of those companies.
The AICPA's reaction was to supply different options for stories meant to provide customers of third-celebration providers convenience all around All those operational controls applicable to them: stability, processing integrity, availability, confidentiality and privateness. These methods are encompassed in The brand new AICPA Company Corporation Command (SOC) reports. Rather than having 1 report designed for monetary reporting, there now are three versions of a Service Organization Command Report---SOC one, SOC two, and SOC three stories, Just about every serving a definite reason:
SOC one: Report on Controls in a Provider Firm Pertinent to Consumer Entities' Inner Manage more than Monetary Reporting offers comfort around financial reporting and transaction products and services; effectively, what a SAS 70 was at first built to do. SOC one engagements are done in accordance with Statement on Specifications for Attestation Engagements (SSAE) 16, Reporting on Controls at a Company Corporation.
SOC two: Report on Controls in a Support Business Related to Security, Availability, Processing Integrity, Confidentiality and/or Privateness makes use of predefined standards and addresses a number of of the 5 critical process characteristics of safety, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements handle controls within the Business that relate to operations and compliance.
SOC 3: SysTrust for Company Corporations Report works by using precisely the same attributes because the SOC 2 report. The SOC three report is often a standard-use report that provides only the auditor's report on whether or not the process reached simple believe in services conditions, leaving out the specific technique and testing descriptions. The SOC 3 report also permits the Group to make use of the SOC 3 seal on its website.
Vital Improvements to Reporting
The new requirements alter the information on the report, along with the reporting process with the provider Business. The required variations give your Business an opportunity to differentiate and to deliver enhanced relevancy for your shoppers. Assistance companies are required to present a description from the procedure. This description is much more encompassing than the description of your controls essential by a SAS 70. The new description presents additional information associated with the people, procedures, and engineering in place to accomplish management's Command aims. The description also features additional information around the lessons of transactions processed. Yet another change could be the necessity which the Corporation offer a prepared assertion That could be a crucial element of the report. The assertion by administration will show its obligation to the accuracy of The outline from the process as well as the analysis standards for the basis of creating the assertion.
Choosing Your SOC Report
When deciding upon a Support Corporation Management Report (a SOC report), consider your viewers. Who is going to use this report and for what reason? Does your audience include things like become soc 2 compliant auditors who want aspects about your controls as well as examination results, or will a standard-use report fulfill their demands?
As you changeover from a SAS 70 report back to a new SOC report, additionally, you will want to consider your process and the types of transactions you approach. Answers to those questions may help make sure you put together the SOC report which most closely fits your Business.