Many service organizations are familiar with the SAS 70 report—for almost 20 years, the SAS 70 audit was the most widely recognized independent attestation report for third-party service providers. In recent years, the outsourcing landscape has changed significantly. As companies have moved to the cloud and adopted other technical innovations through third-party service providers, they need to know more. Companies are not just concerned about financial statement reporting risks; they need to understand controls performed by their service provider to address confidentiality, privacy, system availability (i.e., uptime) and other operational and/or compliance matters. For this reason, service auditor reporting has evolved from the SAS 70 report into a framework of three Service Organization Control (SOC™) reports. This change allows the management of a service organization to select the most appropriate reporting option for their customers, depending on their customers’ specific needs. In general, the new service auditor reporting framework is focused as follows:
- SOC 1™: A SOC 1 examination is the report closest to the traditional SAS 70 and is focused on the controls related to financial statement reporting. Companies that have outsourced critical functions that impact financial reporting need to assess controls over outsourced functions in the same manner as if activities were performed in-house; therefore, they typically require a SOC 1 report. A significant change from the previous standard is that management of the service organization is now required to provide a “written assertion” for inclusion in the report.
- SOC 2™: The SOC 2 report has been designed to address controls other than those relevant to financial reporting; this report is often most appropriate for technology and cloud service providers. This audit is governed by a set of Trust Services Principles and Criteria that include Security, Availability, Processing Integrity, Confidentiality or Privacy. The Trust Services Principles were revised in late 2013; the simplified framework went into effect in March 2014.
- SOC 3™: The SOC 3 report covers the same subject matter as SOC 2 (i.e., the Trust Services Principles and Criteria), but provides a simple, publicly available report as the final deliverable.
Have your customers requested independent, third-party verification of your internal control environment or access to your facility to perform their own audits? Are you considering a report for competitive reasons? The professionals at Sikich have extensive service auditor reporting experience and can help you understand your reporting options. We also provide a full range of readiness services and can help your organization prepare for its first successful service auditor examination.
For more information on Service Organization Control reports, please click on the links below:
SOC™ Reporting Framework
Who Needs a SOC™ Audit?
SOC™ 2 Trust Services Principles and Criteria