Evolving Business Practices Spur Transition from SAS 70 to SOC Reports


Published on

In response to market demand and changing business practices — particularly outsourcing and the transition to cloud computing — the American Institute of CPAs (AICPA) in 2010 issued new auditing standards and audit guides that replaced the decades-old SAS 70 standards and audit guide. The new standards and audit guides, called Service Organization Control (SOC) reports, build on SAS 70 and focus on the misuse of SAS 70 reports for non-intended assurance purposes, align reporting with international standards, and provide more reporting options to address non-financial transaction and reporting subject matter and assurance needs. These new standards went into effect for all reports issued after June 15, 2011.

Learn why these changes are important to not-for-profits.

Published in: Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Evolving Business Practices Spur Transition from SAS 70 to SOC Reports

  1. 1. November 2012MHMMessenger TMM AY E R H O F F M A N M C C A N N P. C . – A N I N D E P E N D E N T C PA F I R MA publication of the Professional Standards GroupEvolving Business Practices Spur Transition from SAS 70 to SOC ReportsIn response to market demand and changing business control issues related to these activities and executepractices — particularly outsourcing and the transition careful due diligence and oversight of the vendorsto cloud computing — the American Institute of CPAs providing these services, not-for-profits should get up(AICPA) in 2010 issued new auditing standards and to speed on SOC 2 reports, which are growing moreaudit guides that replaced the decades-old SAS 70 common.standards and audit guide. The new standards andaudit guides, called Service Organization Control SAS 70 History(SOC) reports, build on SAS 70 and focus on themisuse of SAS 70 reports for non-intended assurance Introduced in 1992, SAS 70 arrived at a time whenpurposes, align reporting with international standards, outsourcing was in its infancy. Organizations wereand provide more reporting options to address non- just beginning to outsource some key tasks, suchfinancial transaction and reporting subject matter and as payroll, but for the most part still handled theirassurance needs. These new standards went into primary IT processes in house. Still, outsourcingeffect for all reports issued after June 15, 2011. even a small fraction of tasks brought concern about how those processes were performed by a third-Why are these changes important to party organization. SAS 70 was developed to assistnot-for-profits? external auditors in planning audits of their clients’ financial statements when the clients used third-partyNot-for-profits have long outsourced payroll and service providers for financial transaction processingpension recordkeeping so they are well acquainted and reporting services and functions.with SAS 70 reports. For these purposes, not-for-profits will now receive SOC 1 reports instead of SAS As outsourcing became more widespread and70 reports. While similar, there are some significant organizations were paying closer attention to corporatedifferences in these reports, which are addressed later governance, SAS 70 was being relied upon for usesin this Messenger. beyond the scope of its original design, which was as an external auditor-to-auditor communication on theMore significantly, many not-for-profits have recently fair presentation, design, existence and operationbegun to outsource other functions as well, and at the of financial transaction processing and reportingsame time are exploring cloud-based hosting for some controls. With the introduction of Software as a Servicesystems, email and document storage. To address (SaaS), cloud computing and the proliferation of data privacy laws and regulations, SAS 70’s shortcomings became even more apparent. Organizations and their clients that have embraced SaaS and the cloud have demanded — and under certain laws and regulationsour roots run deep TM (Continued on Page 2) © 2 0 1 2 M A Y E R H O F F M A N M C C A N N P . C . 877-887-1090 • www.mhm-pc.com • All rights reserved.
  2. 2. MHMMessenger(Continued from Page 1)are legally responsible for obtaining — greater These restricted-use reports address the controls atassurance about the security, confidentiality, privacy, a service organization related to financial transactionavailability and processing integrity of their service processing and reporting likely to be relevant to aproviders. customer’s external auditor in planning the company’s financial statement audit. These reports are notAs SAS 70 was never intended to address these designed or intended for promotional purposes, for useconcerns it became clear that. SAS 70 was not an by prospective customers, or to address non-financialadequate examination and reporting method for transaction and reporting controls, such as security,meeting the evolving variety of assurance needs, so privacy, or regulatory compliance. The applicablenew, more robust and appropriate standards were professional standard is SSAE 16, Reporting ondeveloped. Controls at a Service Organization. While similar to SAS 70, SSAE 16 introduces several key differences,About SOC Reports including:There are three types of SOC reports that address • Attestation Standard: These standards areassurance for service organizations. According to specifically designed to address guidance andthe AICPA, “each type of report has an accepted requirements for examining and reporting on otherprofessional standard under which the audit will be subject matter than financial statements, such asperformed to allow for a common nomenclature when controls and compliance.referring to reports going forward while allowing for amore frequent update of the professional standards.” • Focuses on a Service Organization’s “System of Controls”: Where the SAS 70 audit standardThe new SOC reports provide a framework for CPAs to focused on the service organization’s specifiedexamine controls and to help management understand control objectives and controls and allowedthe related risks of outsourcing to a service provider. service organizations to customize the scope,The new standards will eliminate the common but the revised standard focuses on the controls thatfaulty practice of using SAS 70 to issue reports on a service organization implements to prevent, orcontrols related to outsourced non-financial functions detect and correct, errors, as well as omissions inand data rather than the correct attest standard. SOC the transaction processing and information that areports clarify specifically which standard needs to be service organization provides to its customers.used and how it should be implemented. • Management Must Provide Assertion: Similar toOverview of the three types of SOC reports SOX Section 302, management must provide anand related professional standards assertion report taking ownership for a description of the system of controls, design and operation ofSOC 1 reports are restricted reports intended controls, and risk assessment and criteria used toas auditor-to-auditor communication and direct establish the control objectives and controls.replacements for SAS 70s. (Continued on Page 3) © 2 0 1 2 M A Y E R H O F F M A N M C C A N N P . C . 877-887-1090 • www.mhm-pc.com • All rights reserved.
  3. 3. MHMMessenger(Continued from Page 2) • Establishes Requirements for Subservice and analysis services, printing and mailing services, Providers to be Included in the Report and data repositories, etc. The applicable professional Tested Controls: In order to include controls at standards are AT 101, Attestation Engagements subservice organizations (companies that provide and TSP 100 Trust Services Principles, Criteria and services to the service organizations, such as a Illustrations. third-party data center for hosting systems and a bank for lockbox and automatic clearinghouse When evaluating SaaS or cloud outsourcing providers, transfer processing), the subservice organization not-for-profit executives should take into account the must also provide a management assertion report information in a SOC 2 report, as well as responses to and description of its system of controls, and have a series of targeted questions, such as: the auditor test its controls. • What is your service level agreement for uptime • International Alignment: SSAE 16 and related access to the software? SOC1 reporting were aligned with the comparable international auditing and reporting standards. • What is your disaster recovery/business continuity plan? • Description of Control System for the Entire Examination Period: Under SAS 70, the • What is your uptime and outages? description needed to be a fair presentation of the controls as of the end of the examination period, • How do you communicate problems, outages and such as December 31. Under SSAE 16 and SOC1, fixes to your customers? the description must fairly describe the system of controls for the entire examination period, including • How are backups implemented and how long is all changes. data kept?SOC 2 reports address issues stemming from • Who has access to the data and the hardware onnon-financial controls regarding information. which it is running?These reports are designed to meet the needs of a • How is redundancy implemented within thebroader range of users, including knowledgeable environment? (Do you have spare disk drives,prospective customers of the service. The reports can servers, power supplies, Internet circuits? Do yoube used to provide assurance on security, availability, have another data center to switch to in the eventprocessing integrity, confidentiality and privacy your main data center becomes unavailable?)related to the provided services based on the AICPA’sTrust Services Principles and Criteria and Generally SOC 3 reports provide for brevity.Accepted Privacy Principles. These reports also canbe used for non-financial transaction processing These reports are also based on the Trust Servicesand reporting services, such as cloud computing, Principles and Criteria and Generally Accepteddata center hosting, SaaS, email services, database Privacy Principles as with SOC 2. However, SOC 3 (Continued on Page 4) © 2 0 1 2 M A Y E R H O F F M A N M C C A N N P . C . 877-887-1090 • www.mhm-pc.com • All rights reserved.
  4. 4. MHMMessenger(Continued from Page 3)are short-form reports that can be publicly distributed Organizations can choose to use SOC 2 or SOC 3and posted on a service organization’s website or reports depending on what type of assurance they arethrough the AICPA/CICA’s WebTrust Seal program trying to achieve. Essentially, an organization lookingand site. SOC 3 reports contain a general description to provide a higher level of assurance to the publicof the service and system of controls, management’s would choose SOC 3 reports while an organizationassertion reporting, and the auditor’s opinion as to aiming to provide deeper assurance to their clientswhether the management-specified Trust Services would probably choose SOC 2 reports. In somePrinciple in the assertion report met the related Trust cases, organizations may elect to do both a SOC 2Services Criteria during the examination period. As and a SOC 3 audit to address the concerns of dualwith SOC 2, the applicable professional standards are audiences.AT 101, Attestation Engagements and TSP 100 TrustServices Principles, Criteria and Illustrations. For More InformationBecause SOC 3 reports are short-form reports that For more information on how these new SOC reportsexclude reporting on the detailed controls and related may impact your organization’s financial reporting,testing and results, service organizations that rely on due diligence oversight of service organizations andcontrols at subservice organizations or customers to assurance requirements, please contact Michellemeet any applicable trust services criteria can’t obtain Spriggs or your MHM professional. Michelle can bea qualified opinion unless the report includes assertion reached at mspriggs@cbiztofias.com or 774.206.8336.reports and descriptions of the control systems fromthe subservice organizations and customers, and theauditor tests these controls. Therefore, they are onlyappropriate for some organizations. The information in this MHM Messenger is a brief summary and may not include all the details relevant to your situation. Please contact your MHM service provider to further discuss the impact on your financial statements. © 2 0 1 2 M A Y E R H O F F M A N M C C A N N P . C . 877-887-1090 • www.mhm-pc.com • All rights reserved.