OUR THOUGHTS ON:

SSAE 16/SOC 1 and Trust Services Principles - SOC 2/SOC 3 - Both are Valuable Reports to User Entities

SSAE 16/SOC

By Donald Owens

With the retirement of SAS 70 and the installment of the Service Organization Control (SOC) examinations, the AICPA has established three service organization control (SOC) reporting options (SOC 1, SOC 2, and SOC 3) to meet the varying information and assurance needs of entities that use service organizations. Although these examinations have been effective for service auditor’s reports with periods ending on or after June 15, 2011, much confusion remains in the market as to how a single SAS 70 examination has evolved into very distinct and separate SOC examinations. Taking its lead from the many requirements mandated by the Sarbanes-Oxley Act that are enforced through the SEC and PCAOB, the AICPA recognized short comings in the SAS 70 audits. Specially, reporting on controls at a service organization relevant to user entities’ internal control over financial reporting, in many, cases were not properly covered in the SAS 70 audits. To address this concern, the AICPA issued Statement on Standards for Attestation Engagements (SSAE) No. 16, which focuses on controls at service organizations and results in the issuance of a SOC 1 report.

Not ignoring the reliance and trust user entities place in service organizations for technology support, the AICPA, drawing from the criteria of Trust Systems Principles (TSP) 100, established SOC 2 and 3 examinations (SOC 3 examinations address the same subject matter as SOC 2 engagements). Both SOC 2 and SOC 3 examinations address controls at a service organization related to the security, availability, processing integrity confidentiality, and/or privacy of the information processed on behalf of user entities.

To assist user entities and service organizations in understanding the value of the SOC reporting options, Schneider Downs is making available as a free download the AICPA’s QUICK REFERENCE GUIDE TO SERVICE ORGANIZATION CONTROL REPORTS. This reference guide addresses key topics that may arise when user entities are determining which type of SOC report best meets their needs.

Download a free copy of the AICPA’s Quick Reference Guide to SOC reports

© 2013 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments