The SAS 70 reporting standard is no longer in effect for independent service auditor reporting. There is now a comprehensive framework of three Service Organization Control (SOC) reports from which to choose, depending upon the outsourced services provided and the needs of the “end users” of the report.
SOC Report Comparison
||End Users of the Report
||Users' management and users' auditors.
||Audits of financial statements or internal control.
||Controls relevant to user financial statement reporting. Type I (point in time) and Type II (period of time) reporting options.|
||Concerns regarding security, availability, processing integrity, confidentiality or privacy. Type I and Type II reporting options.|
||Any users with the need for confidence in the service organization's controls.
||Marketing purposes. Details of controls and tests of controls are not needed.
||Seal on website. Simple, easy-to-read report on controls. Type II reporting option only.|
Which SOC Report is Right for You?
|Will the report be used by your customers and their auditors to
plan/perform an audit of their financial statements?
|Will the report be used by your customers and/or stakeholders to gain confidence and place trust in your system?
||SOC 2 or SOC 3|
|Do you need to make the report generally available or post the seal on your website?
Deciding Between a SOC 2 and SOC 3 Report
|Do your customers need to see the details of your processing and controls, including the detailed tests performed and the results of those tests?
Sikich Can Help
The professionals at Sikich have extensive service auditor reporting experience and can help you understand your reporting options. We also provide a full range of readiness services and can help your organization prepare for your first successful service auditor examination.