SOC 1 Type 2 reports are part of the new AICPA Service Organization Control (SOC) reporting framework, and as such, there are a number of critical points your organization should now about regarding the new reporting standard that has effectively replaced SAS 70 for reporting periods ending on or before June 15, 2011. Take note of these following 5 issues regarding SOC 1 Type 2 reporting:
1. SAS 70 has been replaced. After almost 20 years of faithful service, Statement on Auditing Standards No. 70 is with us no more. It became a very well-known (but often misused) auditing standard for reporting on controls at service organizations, over time becoming the de-facto global standard for which all other reporting options were measured against.
2. The SOC framework has arrived. The American Institute of Certified Public Accountants (AICPA) made significant changes to third-party assurance reporting with the announcement of their comprehensive Service Organization Control (SOC) reporting framework, for which you choose between SOC 1, SOC 2, and SOC 3 reports. Much to the dismay of the AICPA, SOC 2 reporting, which is designed for the growing number of technology and cloud based service organizations, has not gained much traction in the marketplace, leaving SOC 1 Type 2 reports as the new de-facto standard. This may change over time as more organizations learn about SOC 2 along with increased regulatory compliance requirements from parties demanding these reports, but only time will tell.
3. SOC 1 Type 2 reports require that management provide the following: written statement of assertion along with developing a description of their "system". It's important to note that the written statement of assertion was never a requirement for SAS 70, and that a SOC 1 Type 2 description of its "system" is looked upon as a more in-depth and comprehensive narrative than the SAS 70 description of "controls". In short, there's some additional work to be done for meeting the new reporting requirements for SOC 1 Type 2 reports.
4. There's an international standard equivalent to SSAE 16. That's right, the International Federation of Accountants (IFAC), has put forth their own service organization control standard, and it very closely (with a few technical exceptions) mirrors that of SSAE 16. This was due in large part to the collaborative efforts between the AICPA and IFAC to have similar standards as part of the emerging globally accepted accounting principle ad standards. You can learn more about ISAE 3402 at isae3402audits.com.
5. SOC 1 Type 2 reports also bring into play a number of important provisions that service organizations should be aware of, such as the following: (1). The Internal Audit Function. (2). Subservice Organizations and Reporting. (3). The Concept of Monitoring.
You can learn more about these five (5) critical points by visiting the official SSAE 16 Resource Guide, developed by NDNB Accountants & Consultants, a nationally recognized IR CPA firm specializing in regulatory compliance. Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance