Service Organization Controls Report Overview
RubinBrown has developed a diagnostic tool to assist you whether you are transitioning to the new report standards or embarking on such a report for the first time.
You will be provided:
- An easy-to-interpret diagnostic
- A timely gap analysis
- Ongoing consultation advice
- A reputable report
Change Has Arrived
What has been known as a "SAS 70 Report" is being refreshed by the American Institute of Certified Public Accountants (AICPA) with new guidance for reporting on service organizations.
This guidance replaces SAS 70 for reports covering periods ending on or after June 15, 2011.
The original intent of a SAS 70 report was to communicate with auditors regarding financial statement assertions. Over time, SAS 70 morphed into a marketing tool; a "certification" for security, availability, and other assertions unrelated to controls over financial reporting.
As organizations have become increasingly concerned about risks beyond financial reporting, a new suite of reports is needed to meet the needs of the service organizations.
The AICPA's response was to offer alternative solutions for reports designed to provide users of third-party services comfort around those operational controls relevant to them: security, processing integrity, availability, confidentiality and privacy.
These solutions are encompassed in the new AICPA Service Organization Control (SOC) reports.
Rather than having one report designed for financial reporting, there now are three versions of a Service Organization Control Report—SOC 1, SOC 2, and SOC 3 reports, each serving a distinct purpose:
SOC 1: Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting provides comfort around financial reporting and transaction services; essentially, what a SAS 70 was originally designed to do. SOC 1 engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization.
SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy utilizes predefined criteria and covers one or more of the five key system attributes of security, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements address controls at the service organization that relate to operations and compliance.
SOC 3: SysTrust for Service Organizations Report uses the same attributes as the SOC 2 report. The SOC 3 report is a general-use report that provides only the auditor's report on whether the system achieved basic trust services criteria, leaving out the detailed system and testing descriptions. The SOC 3 report also permits the service organization to use the SOC 3 seal on its website.
Key Changes to Reporting
The new standards change the content of the report, as well as the reporting process for the service organization. The required changes provide your service organization an opportunity to differentiate and to provide increased relevancy to your clients.
Service organizations are required to provide a description of the system. This description is more encompassing than the description of the controls required by a SAS 70.
The new description provides more information related to the people, processes, and technology in place to achieve management's control objectives. The description also includes more information on the classes of transactions processed.
Another change is the requirement that the service organization provide a written assertion that is a key component of the report.
The assertion by management will indicate its responsibility for the accuracy of the description of the system and the evaluation criteria for the basis of making the assertion.
RubinBrown's Audrey Katcher currently serves on the AICPA Information Technology Executive Committee and the AICPA Data Integrity Committee.
Audrey's participation on these key AICPA committees provides clients the most current perspective the profession has on the new Service Organization Control standards and audit guidelines.
This helps service organizations get ahead of the curve as they look to provide their clients comfort their data is safe.
Through roles such as this, RubinBrown professionals maintain a current working knowledge of the new standards and are ready to help your organization through the transition.
RubinBrown is a PCAOB registered accounting firm with an experienced team who have led and performed many SOC 1 (formerly known as SAS 70) engagements.
"Totally satisfied clients" is a cornerstone of RubinBrown's vision and has been for decades. This passion and commitment to the total satisfaction of our clients is not a "passing fad" but an essential piece of our culture.
Our concept of comprehensive service to clients goes far beyond the once-a-year performance of audit services. We believe that truly responsive service requires continuous attention, which means being available to you and your staff throughout the year.
This approach blends both technical audit and general industry experience into a constructive service concept. We use the latest in audit technology to analyze client needs and provide timely, quality service in the most efficient manner.
Our approach emphasizes quality, efficiency, and continuous involvement. We will help guide you in selecting the appropriate report or reports for your company and your clients.
RubinBrown SOC Reference Guide and Diagnostic Checklist
Download the RubinBrown SOC Reference Guide and Diagnostic Checklist to determine what report is best for you and your company.
The RubinBrown SOC Reference Guide and Diagnostic Checklist includes the following:
- RubinBrown SOC Diagnostic Checklist lists key questions you should ask yourself when determining which report to prepare.
- Summary of the changes and a detailed description of the different reports.
Download your Reference Guide and Diagnostic Checklist here:
Informative Events That May Interest You
Service Organization Controls Helpful Resources
RubinBrown Partner Audrey Katcher speaks about managing controls and risk in the Cloud in the AICPA video, "Managing Controls, Risk in the Cloud."
Service Organization Controls Leaders
We welcome your questions or comments about Service Organization Control Reports (SOC 1,2,3) or the Business Advisory Services Group. For more information, please contact:
Rick Feldt, CPA
Todd Pleimann, CPA
Kansas City Managing Partner
Matt Wester, CPA, CFE
Dave Richert, CPA, CITP, CIA, CISA, CQA
Events and Seminars
|Microsoft Dynamics Receivables Module (Saint Louis)|
Tue May 21 @ 8:30AM - 05:00PM
|Contract Liability & Indemnity Issues For Manufacturers (St. Louis)|
Wed May 29 @ 8:00AM - 09:30AM
|Not-For-Profit Investments Seminar (St. Louis)|
Wed Jun 19 @ 8:00AM - 10:00AM