SAS 70 or SSAE 16 or SOC - Which Report Do you have to Use?

Adjust Has Arrived

What is often known as a "SAS 70 Report" has been refreshed from the American Institute of Accredited General public Accountants (AICPA) with new guidance for reporting on services companies. This direction changed SAS 70 for experiences covering periods ending on or right after June fifteen, 2011.

The first intent of the SAS 70 report was to talk to auditors regarding monetary statement assertions. After a while, SAS 70 morphed right into a advertising Instrument; a "certification" for safety, availability, together with other assertions unrelated to controls around economical reporting. As organizations have grown to be more and more concerned about pitfalls outside of money reporting, a completely new suite of experiences was needed to meet the requirements of these companies.

The AICPA's response was to supply different remedies for stories built to deliver users of third-celebration solutions ease and comfort close to Individuals operational controls appropriate to them: protection, processing integrity, availability, confidentiality and privateness. These remedies are encompassed in The brand new AICPA Provider Firm Management (SOC) stories. In lieu of acquiring a single report made for economic reporting, there now are 3 versions of a Services Business Manage Report---SOC 1, SOC 2, and SOC 3 reports, each serving a definite intent:

SOC one: Report on Controls in a Assistance Group Suitable to Consumer Entities' Inside Management in excess of Economic Reporting gives ease and comfort about monetary reporting and transaction solutions; basically, what a SAS 70 was originally designed to do. SOC one engagements are executed in accordance with Assertion on Expectations for Attestation Engagements (SSAE) 16, Reporting on Controls at a Services Organization.

SOC two: Report on Controls in a Assistance Firm Appropriate to Safety, Availability, Processing Integrity, Confidentiality and/or Privacy utilizes predefined conditions and handles a number of on the five important system characteristics of stability, availability, processing integrity, confidentiality, and privateness. SOC 2 engagements address controls at the Corporation that relate to functions and compliance.

SOC three: SysTrust for Support Companies Report uses the same characteristics as being the SOC 2 report. The SOC 3 report is a typical-use report that gives only the auditor's report on whether the system obtained primary have faith in providers criteria, leaving out the detailed procedure and screening descriptions. The SOC 3 report also permits the organization to utilize the SOC three seal on its Site.

Important Changes to Reporting

The brand new expectations change the content with the report, plus the reporting method for the company Group. The necessary modifications deliver your Group a chance to differentiate and to provide greater relevancy to the customers. Company businesses are required to provide an outline in the system. This description is a lot more encompassing than the description of the controls demanded by a SAS 70. The new description offers more info connected with the individuals, processes, and technological know-how in position to attain administration's Management objectives. The outline also contains more information to the classes of transactions processed. A further adjust will be the need the organization offer a created assertion That may be a essential component with the report. The assertion by management will suggest its duty for the precision of the description with the program as well as evaluation criteria for The idea of making the assertion.

Picking out Your SOC Report

When choosing a Company Firm Control Report (a SOC report), take into account your audience. Who will probably use do i need a soc 2 report this report and for what objective? Does your viewers consist of auditors who have to have specifics regarding your controls as well as the exam benefits, or will a general-use report satisfy their needs?

While you transition from a SAS 70 report back to a fresh SOC report, additionally, you will want to take into account your system and the categories of transactions you process. Solutions to those queries might help ensure you get ready the SOC report which best fits your Group.

Leave a Reply

Your email address will not be published. Required fields are marked *