Preparing for the New SAS 70: SOC 1, 2 and 3


By Holly Russo

Beginning June 15, 2011, three new Service Organization Controls (SOC) report options will replace SAS 70 reports. With the effective date just around the corner, the following are action items for service organizations to consider when implementing the new standards:

  • Determine effective date and report period for your organization.
  • Communicate with your users and re-evaluate the user needs and the user auditor needs. Discuss reporting guidance under SSAE 16 with your auditor and determine whether the report’s focus is still on internal controls over financial reporting.
  • Revise the nature and content of your report as necessary. Determine which reporting option makes sense for you and your customers (SOC 1, SOC 2 or SOC 3). 
  • Review the scope and impact that subservice organizations will have on the report (carve-out or inclusive) to determine if subservice organization assertions will be required.
  • Review existing contracts and any new customer contractual agreements for any potential impact on the report and determine if revisions are necessary for transition to new standards.
  • Review the system description and existing monitoring and/or testing processes (services, scope, third parties, risks, control objectives, control activities, testing strategy).
  • Review and update the narrative (Section II) to include other aspects of the service organization’s control environment, risk assessment, information and communication systems, control activities and monitoring that are relevant to the services provided.
  • Identify risks to control objective achievement.
  • Educate management on the additional disclosure responsibilities related to management’s assertions.
  • Be proactive: Communicate with everyone involved in the engagement including process owners, auditors and users.

If you have any questions about SOC 1, SOC 2, SOC 3 or SSAE 16, please contact the Internal Audit and Risk Advisory Services Team.

Schneider Downs provides accountingtax , wealth management, technology and business advisory services through innovative thought leaders who deliver the expertise to meet the individual needs of each client. Our offices are located in Pittsburgh, PA and Columbus, OH.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax-related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.