The American Institute of CPAs has developed new reporting standards aimed at cloud computing providers, health care claims processors, and other information system service organizations, which will ultimately replace those offered through SAS 70.
Known as Service Organization Control reports, formerly called SAS 70 reports, they are designed to provide a framework for CPAs to examine controls and to help senior management understand the related risks of outsourcing to a service provider.
“The AICPA issued the expanded standards in response to marketplace demand,” said AICPA president and chief executive Barry Melancon. “Service organizations have been vocal about their clients wanting assurance that they have effective controls for all their data — not just financial information. These reporting options will help them build that trust with their clients.”
Some companies have misused the SAS 70 standards to issue reports on controls related to outsourced non-financial data rather than the correct attest standard, which was in place. The SOC reports clarify which standard needs to be used and how it should be implemented to meet specific user needs, according to Erik Asgeirsson, president and CEO of CPA2Biz.
“All the financial control standards are in place via SAS 70, but what the market really wants to address is concerns about the privacy, the processing integrity, and the data, and that’s broader than just financial controls,” he said. “What this is doing is basically serving a need. They need to make sure these standard are being met, particularly by cloud-based [service] providers. This is a major evolution from SAS 70, and it will have a substantial impact on CPAs and their clients. Lots of firms are doing work around SAS 70 and that work will now be expanded. Audit firms will be all over this.”
CPA2Biz plans to utilize the SOC standards as part of its own due diligence for evaluating prospective members of its Trusted Business Advisor Solutions program, according to Asgeirsson. There is a great deal of brand recognition for SAS 70, and both the AICPA and CPA2Biz hope to translate that level of awareness to SOC.
There are currently three types of SOC reports:
• SOC 1 reports are primarily an auditor-to-auditor communication addressing the financial reporting controls at a service organization. These reports are restricted-use reports, and therefore are not designed for promotional purposes.
• SOC 2 reports are in response to the rapid growth in cloud computing and data outsourcing, as well as the marketplace need for clarification on how reports on non-financial controls, such as data security, confidentiality and privacy information, should be structured.
• SOC 3 reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy, but do not have the need or the necessary knowledge to make effective use of a SOC 2 report. Because they are general-use reports, SOC 3 reports can be freely distributed or posted on a Web site with an accompanying seal (shown above). These are the only one of the SOC report types for which this is true.
Melancon provides an overview of how the guidance and reports were developed in an online video
