AICPA SOC reports are everywhere these days - SOC 1, SOC 2, and SOC 3 - and this is due in large part to the retirement of the longstanding SAS 70 auditing standard, which was in place for approximately two decades (April, 1992 to June 15, 2011). So out with the old and in with the new - and very new the AICPA SOC reports are - as witnessed by the three distinct reporting options that service organizations now have. With such monumental changes in reporting on controls at these very service organizations, it's important to take note of the following five items regarding AICPA SOC reports.
1. It’s a SOC world out there. SOC stands for "Service Organization Control" reports, which is a completely new reporting platform for reporting on controls at service organizations - one that effectively replaced the aging SAS 70 auditing standard. There are three (3) SOC reporting options to choose from, such as SOC 1, SOC 2, and SOC 3. Look upon the SOC platform as a true shift and monumental change by the American Institute of Certified Public Accountants (AICPA) and their attempt to modernize and become more global with respect to service organization reporting. Interestingly, there is an international equivalent to the SOC 1 reporting option - ISAE 3402 - but much like SAS 70, SOC 1 SSAE 16 reports are slowly, but surely, becoming the de facto standard, once again.
The AICPA Service Organization Control (SOC) reporting framework has effectively replaced the aging and antiquated SAS 70 auditing standard for reporting periods ending on or after June 15, 2011. For service organizations, a number of new reporting options are now available, thus companies won't be limited to a one-size fits all approach, as was the case with Statement on Auditing Standards No. 70. It's vitally important that you gain a comprehensive understanding of the following 5 points regarding the AICPA SOC reporting framework:
1. Why the change from SAS 70 to SOC? While most organizations have focused on the retirement of the SAS 70 auditing standard and the pronouncement of the SSAE 16 attest standard, it's important to take note of the larger picture. Specifically, service organizations have "grown up" since the birth of SAS 70 in April of 1992. Where reporting on internal controls was once limited to a very few, select entities, businesses of all shapes and sizes are now being required to undergo numerous regulatory compliance audits. Because of this, (and the growing trend toward globally accepted accounting principles), the American Institute of Certified Public Accountants (AICPA) took bold action in launching its Service Organization Control (SOC) framework, for which there are three (3) reporting options; SOC 1, SOC 2, and SOC 3.