The American Institute of CPAs has issued new attest guidance that enables CPAs to report on the controls at a service organization, particularly ones that provide outsourced services to other companies via technologies like cloud computing.
Statement on Standards for Attestation Engagements No. 16 (effective for service auditors’ reports for periods ending on or after June 15, 2011) supersedes the guidance for service auditors in SAS 70, and will be used to examine controls over services performed by a service organization that affect its customers’ internal control over financial reporting.
If a company outsources a function to a service organization, such as client billing, the auditor of that company’s financial statements will need to understand the design of the service organization’s controls over the billing process, because the data resulting from billing will ultimately be included in the company’s financial statements. The auditor also needs to determine whether those controls are appropriately designed and, in some cases, whether they are operating effectively. The most efficient way to do this is for the service organization to undergo an SSAE 16 engagement, which results in a SOC 1 report (service organization control report).
A SOC 1 report is a communication intended for management of the service organization, the auditor of the service organization’s financial statements, and existing customers of the service organization and may not be used for promotional purposes.
“SSAE 16 represents the evolution of SAS 70 in response to the changing needs of the marketplace,” said AICPA senior vice-president, member competency and development Arleen Thomas. “The Auditing Standards Board of the AICPA made these changes to address misunderstandings pertaining to SAS 70 and uphold the accounting profession’s mission to protect the public interest.”
To assist CPAs as they make the transition from performing a service auditor’s engagement under SAS 70 to doing so under SSAE 16, the AICPA has recently published an authoritative SSAE 16 guide.
When a company outsources a function to a service organization that is not relevant to customers’ financial statements, the information sent to the service organization may include personal information, such as patient information included in medical claims processed by a claims processor for a health insurer. In those circumstances, the health insurer may request assurance regarding the service organization’s controls over the privacy of that information.
To respond to specific marketplace needs the AICPA has published an authoritative guide on examining and reporting on controls relevant to the security, availability, or processing integrity of a service organization’s system, or the confidentiality or privacy of the information the system processes for customers.
The guidance can be used to perform an examination that results in a SOC 2 report and, in some cases, a SOC 3 report. SOC 3 reports cover the same subject matter as SOC 2 reports, but with less detail, and may be freely distributed to potential customers.
Thomas provides an overview of the SOC reports in an online video.
The AICPA guides, Service Organizations: Applying SSAE No. 16, Reporting on Controls at a Service Organization Guide (SOC 1), and Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) are available for $60 each for AICPA members, or $75 for non-members.