Friday, June 3, 2011

An Overview of the New Service Organization Control Reports

Organizations that collect, retain, or process information on behalf of other organizations are known as service organizations.  Some of the most familiar types of service organizations widely used by companies are payroll processors, employee benefit plan administrators, and asset custodians. In recent years, there is also a growing reliance on providers of software as a service and cloud computing. Over the past decades, firms conducting audits of companies who use service organizations would rely on the organizations’ production of a Statement of Auditing Standard (SAS) 70 report. These reports would be prepared by the service organizations’ independent auditors and provided to any clients who relied on the service organizations’ information in preparing their own financial statements.
Beginning June 15, 2011, SAS 70 will be superseded by SSAE 16 for U.S. service organizations, which is similar to ISAE 3402 under IFRS.  The new reports are commonly referred to as Service Organization Control (SOC) Reports. There will be three types of SOC reports for companies to consider for issuance, summarized below:

SOC 1 Report – A review of user controls having an impact on clients’ financial reporting, SOC 1 reports will evaluate what is commonly known as ICOFR (internal controls over financial reporting). 

SOC 2 Report – Controls tested in a SOC 2 report will not be linked to financial reporting or financial statement assertions. Instead, SOC 2 reports will evaluate controls that fall under the AICPA Trust Services Principles and Criteria which include security, availability, processing integrity, confidentiality, and privacy.

Both SOC 1 and SOC 2 reports are similar to the former SAS 70 reports in that they list the service organization’s controls, how the auditor tested them, and the results of those tests. They will also include management’s assertions related to the controls tested. They are intended for restricted distribution to clients of the service organization.

SOC 3 Report – The audit work performed for a SOC 3 report is identical to that in a SOC 2, however the report issued merely summarizes management’s assertions and the auditor’s opinion, leaving out the detailed control descriptions and audit procedures. SOC 3 reports are intended to have unrestricted distribution, and those organizations receiving an unqualified opinion are permitted to display a seal on their website indicating the results of their SOC 3 report. 

As more and more organizations rely on service organizations for critical IT functions and processing of financial information, auditors should be familiar with the content of the new SOC reports and how they will impact their clients’ audits.

No comments:

Post a Comment