SSAE 16 SOC 2
Effective June 15, 2011, SAS 70 (Statement on Auditing Standard No. 70), Service Organizations, has been replaced by SSAE 16 (Statement on Standards for Attestation Engagements No. 16), Reporting on Controls at a Service Organization. A new SAS, Audit Considerations Relating to an Entity Using a Service Organization, is effective for audits of financial statements for periods ending on or after Dec. 15, 2012.
SAS 70 has been the source of requirements and guidance on service organization audits since 1992. But with the steady move toward convergence of U.S. and international accounting standards, and concerns over risks beyond financial reporting, the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) felt that the time was right for a revamp.
Service Organization Control Reports
Outsourcing of services is becoming more common in both the private and public sectors. When users of a financial organization's services outsource these tasks and functions, many of the risks of the service organization become risks of the user entities.
To provide a framework for accounting professionals to examine controls, and to help management understand the risks related to controls, the AICPA has established three Service Organization Control (SOC) reporting options. An SOC report can help user entities identify and take steps to address the risks.
SOC 1 reports are undertaken by a service auditor to report on controls at an organization providing services to user entities only when controls are likely to be relevant to a user entity's internal control over financial reporting.
Similar to an SOC 1 report, the SOC 2 report provides a description of a service organization's systems. It also includes a description of the tests performed by the auditor and the results of those tests. An SOC 2 report focuses on nonfinancial controls, and one or more of the following system attributes (called Trust Services Principles):
- Processing Integrity
Like an SOC 2 report, an SOC 3 report focuses on nonfinancial controls, includes a description of the service organization's system, and includes one or more of the Trust Services Principles. Unlike an SOC 2, an SOC 3 is ordinarily a general-use report, which means that the service organization may provide the report to anyone. Also, unlike an SOC 2, an SOC 3 report does not contain a detailed description of the service auditor's tests of controls or the results of those tests. In some cases, an unqualified opinion on an SOC 3 report permits the service organization to use the SOC seal on its website.
The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, or tax advice or opinion provided by UbiStor, Inc. to the reader. The reader also is cautioned that this material may not be applicable to, or suitable for, the reader's specific circumstances or needs, and may require consideration of non-tax and other tax factors if any action is to be contemplated. The reader should contact his or her tax professional prior to taking any action based upon this information. UbiStor, Inc. assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.