The AICPA Service Organization Control (SOC) reporting framework has effectively replaced the aging and antiquated SAS 70 auditing standard for reporting periods ending on or after June 15, 2011. For service organizations, a number of new reporting options are now available, thus companies won't be limited to a one-size fits all approach, as was the case with Statement on Auditing Standards No. 70. It's vitally important that you gain a comprehensive understanding of the following 5 points regarding the AICPA SOC reporting framework:
1. Why the change from SAS 70 to SOC? While most organizations have focused on the retirement of the SAS 70 auditing standard and the pronouncement of the SSAE 16 attest standard, it's important to take note of the larger picture. Specifically, service organizations have "grown up" since the birth of SAS 70 in April of 1992. Where reporting on internal controls was once limited to a very few, select entities, businesses of all shapes and sizes are now being required to undergo numerous regulatory compliance audits. Because of this, (and the growing trend toward globally accepted accounting principles), the American Institute of Certified Public Accountants (AICPA) took bold action in launching its Service Organization Control (SOC) framework, for which there are three (3) reporting options; SOC 1, SOC 2, and SOC 3.
2. What is SOC 1? SOC 1 is the Service Organization Control reporting option that utilizes the SSAE 16 professional standard, resulting in two (2) types of reports to be issued: SOC 1 SSAE 16 Type 1 reports and SOC 1 SSAE 16 Type 2 reports. Furthermore, SOC 1 reports, much like SAS 70 reports, were specifically intended for service organizations who have a credible relationship and/or nexus to a concept known as "ICFR"; Internal Control over Financial Reporting. However, many service organizations have simply opted to move forward with SOC 1 SSAE 16 reporting instead of opting for SOC 2 or SOC 3 compliance.
3. What is SOC 2 and SOC 3? Service Organization Control reporting options 2 and 3 are an attempt by the AICPA to give service organizations more flexibility and opportunities for reporting on their control environment. Specifically, SOC 2 was developed for the fast and furious growth of technology and cloud computing service organizations, such as Software as a Service (SaaS) entities, data centers, managed services providers, software development organizations, and many other technology minded companies. And while the AICPA gets an "A" for their efforts in developing these reporting options, the adoption of SOC 2 and SOC 3 reporting has fallen short in the marketplace, but this should change over time. Service Organization Control reporting options 2 and 3 can provide tremendous value to service organizations, thus they'd be wise to investigate them. SOC 2 and SOC 3 engagements are to utilize AT 101 as the professional standard for reporting.
4. SOC 1 and SOC 2 require a description of one's "system". Whereas the SAS 70 auditing standard required a description of "controls", SOC 1 and SOC 2 reporting requires a description of one's "system". This "system" is looked upon by practitioners as a more comprehensive, in-depth and detailed narrative of a service organization's control environment when compared to the SAS 70 description of "controls". Simply stated, if you are migrating from SAS 70 to SSAE 16, you may have to spend additional time in strengthening the language of the description of your "system". Additionally, SOC 1 and SOC 2 reports also require that management provide a written statement of assertion to be included in the final report.
5. Choose your SOC auditing firm wisely. In today's competitive business arena, the accounting industry being no different, there are numerous providers offering SOC services. And to be fair, a large number of them are knowledgeable and provide quality services. Thus, if you're seeking a nationally recognized, IR CPA firm, and one that can provide a competitive, fixed-fee, then contact NDNB Accountants today.
NDNB also offers comprehensive SOC 1 and SOC 2 audits for businesses using Amazon AWS, Microsoft Azure, and Google GCP. And if you're using AWS for hosting of your production environment, here's what you need to know NOW about SOC 2 audits
For more information on Service Organization Control (SOC) reporting and on SOC 1, SOC 2, and SOC 3 pricing, please contact Charles Denyer at 1-800-277-5415, ext. 705 or Christopher G. Nickell at 1-800-277-5415, ext. 706.
