Nov 5, 2011 4:54 AM
SAS 70 or SSAE 16 or SOC - Which Report If you ever Use
Change Is here
What's been termed as a "SAS 70 Report" have been refreshed because of the American Institute of Cpas (AICPA) with new guidance for reporting on service organizations. This guidance replaced SAS 70 for reports covering periods ending on or after June 15, 2011.
http://getssae16ready.com/
The very first intent of a SAS 70 report were to get in touch with auditors regarding financial statement assertions. After a while, SAS 70 morphed right into a advertising device; a "certification" for security, availability, along with other assertions unrelated to controls over financial reporting. As organizations are becoming increasingly focused on risks beyond financial reporting, a fresh suite of reports was was required to meet the needs of such organizations.
The AICPA's response was to offer alternative solutions for reports created to provide users of third-party services comfort around those operational controls strongly related to them: security, processing integrity, availability, confidentiality and privacy. These solutions are encompassed inside new AICPA Service Organization Control (SOC) reports. Rather then having one report devised for financial reporting, there now are three versions of your Service Organization Control Report---SOC 1, SOC 2, and SOC 3 reports, each serving a definite purpose:
SOC 1: Report on Controls with a Service Organization Highly relevant to User Entities' Internal Treatments for Financial Reporting provides comfort around financial reporting and transaction services; essentially, that of a SAS 70 was originally intended to do. SOC 1 engagements are carried out according to Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls with a Service Organization.
SOC 2: Set of Controls at the Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy utilizes predefined criteria so they cover a number from the five key system features of security, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements address controls on the organization that relate to operations and compliance.
http://getssae16ready.com/2011/11/03/am-i-a-service-organization-and-do-i-need-a-ssae-16-audit/
SOC 3: SysTrust for Service Organizations Report uses identical attributes as the SOC 2 report. The SOC 3 report is a general-use are convinced that provides only the auditor's directory perhaps the system achieved basic trust services criteria, dropping the detailed system and testing descriptions. The SOC 3 report also permits the corporation to work with the SOC 3 seal on its website.
Key Changes to Reporting
The modern standards get a new content of your report, as well as the reporting process for any service organization. The mandatory changes provide your small business the opportunity to differentiate and also to provide increased relevancy to the clients. Service organizations need to give a description of your system. This description is far more encompassing compared to description with the controls essential to a SAS 70. The new description provides details in connection with the people, processes, and technology available to accomplish management's control objectives. The description also includes a lot of the classes of transactions processed. Another change is the requirement which the organization offer a written assertion that's a key element of the report. The assertion by management will indicate its responsibility for any accuracy from the description from the system along with the evaluation criteria for the first step toward making the assertion.
http://getssae16ready.com/2011/11/04/why-ssae16/
Selecting Your SOC Report
When picking something Organization Control Report (a SOC report), consider your audience. Who's going to implement this report and for what purpose? Does your audience include auditors who require information about your controls along with the test results, or will a general-use report fulfill the requirements?
Just like you transition from your SAS 70 report to a new SOC report, you'll be considering your body along with the types of transactions you process. Solutions to these questions may help make sure you prepare the SOC report which best suits your online business.
What's been termed as a "SAS 70 Report" have been refreshed because of the American Institute of Cpas (AICPA) with new guidance for reporting on service organizations. This guidance replaced SAS 70 for reports covering periods ending on or after June 15, 2011.
http://getssae16ready.com/
The very first intent of a SAS 70 report were to get in touch with auditors regarding financial statement assertions. After a while, SAS 70 morphed right into a advertising device; a "certification" for security, availability, along with other assertions unrelated to controls over financial reporting. As organizations are becoming increasingly focused on risks beyond financial reporting, a fresh suite of reports was was required to meet the needs of such organizations.
The AICPA's response was to offer alternative solutions for reports created to provide users of third-party services comfort around those operational controls strongly related to them: security, processing integrity, availability, confidentiality and privacy. These solutions are encompassed inside new AICPA Service Organization Control (SOC) reports. Rather then having one report devised for financial reporting, there now are three versions of your Service Organization Control Report---SOC 1, SOC 2, and SOC 3 reports, each serving a definite purpose:
SOC 1: Report on Controls with a Service Organization Highly relevant to User Entities' Internal Treatments for Financial Reporting provides comfort around financial reporting and transaction services; essentially, that of a SAS 70 was originally intended to do. SOC 1 engagements are carried out according to Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls with a Service Organization.
SOC 2: Set of Controls at the Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy utilizes predefined criteria so they cover a number from the five key system features of security, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements address controls on the organization that relate to operations and compliance.
http://getssae16ready.com/2011/11/03/am-i-a-service-organization-and-do-i-need-a-ssae-16-audit/
SOC 3: SysTrust for Service Organizations Report uses identical attributes as the SOC 2 report. The SOC 3 report is a general-use are convinced that provides only the auditor's directory perhaps the system achieved basic trust services criteria, dropping the detailed system and testing descriptions. The SOC 3 report also permits the corporation to work with the SOC 3 seal on its website.
Key Changes to Reporting
The modern standards get a new content of your report, as well as the reporting process for any service organization. The mandatory changes provide your small business the opportunity to differentiate and also to provide increased relevancy to the clients. Service organizations need to give a description of your system. This description is far more encompassing compared to description with the controls essential to a SAS 70. The new description provides details in connection with the people, processes, and technology available to accomplish management's control objectives. The description also includes a lot of the classes of transactions processed. Another change is the requirement which the organization offer a written assertion that's a key element of the report. The assertion by management will indicate its responsibility for any accuracy from the description from the system along with the evaluation criteria for the first step toward making the assertion.
http://getssae16ready.com/2011/11/04/why-ssae16/
Selecting Your SOC Report
When picking something Organization Control Report (a SOC report), consider your audience. Who's going to implement this report and for what purpose? Does your audience include auditors who require information about your controls along with the test results, or will a general-use report fulfill the requirements?
Just like you transition from your SAS 70 report to a new SOC report, you'll be considering your body along with the types of transactions you process. Solutions to these questions may help make sure you prepare the SOC report which best suits your online business.
Posted by
dylanrogers452
| Nov 5, 2011 4:54 AM |
Add a comment