AT Section 101 is a professional standard that all service organizations need to be keenly aware, due in large part to the creation of the AICPA SOC reporting framework, for which both AT Section 101 and SSAE 18 play critical roles in reporting on controls.
In issuing a SOC 1 (SSAE 16/SSAE 18) report, the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) has been very clear in stating that the intent of actual SSAE 16/SSAE 18 itself is for reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting.
Simply stated, if a service provider is performing a task or function or providing a service to another entity, for which it impacts the financial reporting of this entity in some way, then SOC 1 (SSAE 16/SSAE 18) is applicable. Thus, the scope of SSAE 18 is still consistent with that of SSAE 16, for which it was superseding.
AT Section 101 and SOC 2 Reporting - A Growing Trend
Thus, when reporting on controls other than those likely to be relevant to user entities’ internal control regarding financial reporting (i.e., controls outside that of financial reporting), practitioners should perform an Attest Engagement in accordance with AT Section 101. Therefore, SOC 2 audits are to be the chosen reporting platform for such user organizatoins. Keep in mind that the reasoning for the AICPA to make very clear of the use of AT Section 101 is because the original (and now thankfully defunct) SAS 70 auditing standard strayed heavily from its original use as an auditor-to-auditor standard, and more of that as an internal control audit conducted on almost any conceivable organization. Many service organizations quickly began to obtain SAS 70 Type I and Type II compliance for marketing and business development reasons, often largely ignoring the true technical merit and intent of the auditing standard itself. As such, the AICPA highly recommends that practitioners reporting on controls outside of that of financial reporting should conduct an Attest Engagement, in accordance with AT Section 101.
The AICPA is also very aware of the changes being brought about from technology and has published numerous guides, such as the following: Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
AT Section 101 and SOC 2 Audits - The Preferred Choice for Technology Companies
Expect this guide to be utilized when practitioners issue Attest Engagements under AT Section 101. This guide, along with the issuance of a Service Auditor’s Report under AT Section 101 could become a very-well known audit report in the marketplace as companies possibly move away from the SOC 1 (SSAE 16/SSAE 18) scope (which is limited to financial reporting) and embrace reporting on controls outside the scope of financial reporting. It’s simply too early to tell as to which of the service organization reporting options will take firm root, resulting in widespread acceptance. With that said, expect SOC 1 (SSAE 16/SSAE 18), Attest Engagements in accordance with AT Section 101, ISAE 3402 and other country | region specific standards to be the dominant players.
Simply stated, If you’re a technology company, such sa cloud computer vendor/provider, data center, managed services entity, software development shop, data analytics provider – any type of business in the technology space – then SOC 2 Type 1 and SOC 2 Type 2 audits are the preferred choice for compliance reporting. Want to receive a competitive, fixed-fee for SOC 1 (SSAE 16/SSAE 18) Type 1 and Type 2 compliance? Then contact us today or call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706.