The AICPA has created a new service organization control reporting framework that enables CPAs to offer service organizations the kind of assurance that their customers and business partners are demanding. The new SOC framework expands the areas that a CPA can report on and allows service organizations to use logos on their website to advise customers and potential customers that a SOC engagement has been performed.
This new reporting framework replaces reports previously known as “SAS 70”. SAS 70 Reports were designed to be auditor-to-auditor communication on the design (Type 1) or design and effectiveness (Type 2) of a user organization’s internal controls over financial reporting that have been outsourced to a service organization. The new Statement on Standards for Assurance Engagements (SSAE) #16 clarifies and strengthens the reporting on controls at a service organization relevant to a user entity’s internal control over financial reporting. These are now called SOC 1 Engagements however they remain.
With the growth in new technologies, global business opportunities and increased outsourcing it became clear that there was a need for a detailed report that was based on an examination of subject matter other than internal control over financial reporting. These subjects, considered part of compliance and operations, relate to a service organization’s information systems Security, Availability, Processing Integrity, Confidentiality or Privacy (the Principles). The emergence and growth of cloud computing, and the increased outsourcing of certain functions increased the need for independent assurance on the reliability of information systems. To ensure the completeness and comparability of these reports a SOC 2 engagement must be conducted using the Trust Services Standards, Principles & Criteria established by the AICPA. A SOC 2 report is considered a limited distribution report because it contains sensitive and detailed information about controls in place and may be issued based on one or more of the Principles and related criteria. Following completion of a SOC 2 engagement, an organization can post on its website the SOC logo that indicates an examination by an independent CPA has been performed.
A SOC 3 report is an opinion only report that is intended for public distribution. A SOC 3 Report is performed based on Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality or Privacy and results in a CPA’s opinion on whether the organization maintained internal control over its system during the reporting period. A seal can be issued on the organization’s website to provide “click through” access to the auditor’s report.