SOC it to me! Are you ready for changes to the Service Organization Control standards?
The AICPA has made some significant changes to the guidance for CPAs providing examination reports on controls at service organizations. As a result of these changes, the current SAS70 reporting standards have been updated, and – effective for periods ending on or after June 15, 2011 – will be replaced by SSAE No. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards). The new standard will provide:
- Improved guidance for CPAs providing examinations over service organization controls;
- Enhanced clarity with regard to the “suitable criteria” considered during an examination;
- Applicability to a greater number of business activities, such as hosted data centers and software provided as a service;
- Additional reporting options, including the potential for clients to share reports with prospective customers
Using the services provided under this new standard, service organizations can better respond to user organization due diligence efforts, and demonstrate that clients have addressed concerns related to the security, availability and processing integrity, confidentiality, or privacy of data.
The following article provides the background, discussion of changes and a summary of SSAE 16.
For almost twenty years Statement on Auditing Standards No. 70: Service Organizations (SAS70) has been the source of the requirements and guidance for service auditors and auditors of service organizations’ customers. Beginning in the late 1980’s, auditors were expected to place greater consideration on a client’s internal controls as they pertain to the financial statements. In addition to assessing the controls in place at their client, auditors were expected to further extend their assessment to controls in place at service organizations. This change, coming at a time of increased globalization and outsourcing of core business practices, increased the demands on auditors and the audited alike and created a complex situation for all involved.
From its beginnings in 1992, SAS70 was a useful tool to help bridge the gap between the needs of auditors to gain assurance over controls at service organizations and the need for service organizations to run their business free from perpetual audits. Ten years later, the utility of SAS 70 was greatly increased with enactment of the Sarbanes-Oxley Act. Publicly-traded companies were now required to obtain assurance that the internal controls at service organizations were in place and working to ensure accurate financial reporting. Graham-Leach-Bliley Act placed similar demands on some financial institutions. While these disparate uses were not foreseen in 1992, SAS70 provided a framework, and allowed the objectives to be achieved. However, with greater demands and new expectations placed on SAS70, the reports began to lose relevance to clients and auditors alike.
Eleven years later, service organization audits are undergoing another substantial transformation. The reports that we refer to as “SAS70” (Reports over controls at Service Organizations) have been divided and replaced by two new standards: one, an Auditing standard, and the other an Attestation standard. The auditing standard primarily provides guidance for reporting on an audit of financial statements, whereas the attestation standards primarily provide guidance for reporting on other subject matter. This divergence into separate audit types, and what it means for auditors and auditees alike, is the subject of this discussion.
First, let’s start with what is NOT changing: the Auditing standard (AU 324). Only when reporting on controls at a service organization (as opposed to considering those controls in a financial statement audit) is the guidance superseded by a new attestation standard.
The guidance for a service auditor reporting on controls at a service organization relevant to user entities internal control over financial reporting has been placed in SSAE No. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards).
In SSAE 16, the service auditor is not auditing or reporting on financial statements themselves, but rather on a service organization’s description of its system, controls, and control objectives. As noted above, moving the requirements for service auditors reporting on controls at a service organization to an attestation standard better reflects the nature of the work a service auditor typically performs on these engagements.
Incidentally, SSAE 16 is intended to help bring the Accounting Standards Board’s standards in line with those of the International Auditing and Assurance Standards Board. As such, SSAE 16 is based on ISAE no. 3402, Assurance Reports on Controls at a Service Organization. Convergence to international standards helps to ensure the continued relevance of SSAE 16 over time, and improves the potential for SSAE 16 to remain the standard for another twenty years.
So what has changed and when? Most notably:
- SSAE 16 will be effective for periods ending on or after June 15, 2011 and will require the service auditor to obtain a written assertion from the service organization’s management regarding the fairness of the presentation of their system, the suitability of control design and, where applicable, the operating effectiveness of the controls. This management assertion will be included in the final report.
- Other changes preclude service auditors from reducing testing based on evidence obtained for prior engagements.
- The opinion over operating effectiveness of controls will no longer be as-of a specified date, but will now cover the entire period covered by the auditor’s test.
What has not changed? If you have been through the SAS70 process before, many of the changes will be subtle. As noted above, SSAE 16 will call for more explicit management assertions regarding the report objectives and controls, including whether they are both in place AND effective during the audit period.
The Letter of Management Representations will be more involved, and will require some discussion with your auditor to ensure that everyone is comfortable with the process and outcomes. There is no reason for auditor test work to be more involved or complicated as the outcome of the process – assurance regarding controls in place and their operating effectiveness – has not changed.
So far, pretty straightforward. SAS70 has been cleaved into an audit and an attestation standard. As someone who has required a SAS70 audit to comply with your customers’ needs (whatever they may be), you are likely asking:
“Now that SAS70 has been revised and refocused as an attestation standard, what does this mean for me?”
Service Organization Controls Reports (SOC)
Attestation standards, of which SSAE 16 is one, enable a CPA to report on subject matter other than financial statements. This is not new. As the SAS70 transitions to an attestation standard, this is a good time to revisit other attestation options that can address some of the needs formerly addressed by SAS70. As a means to help organizations select the appropriate standard and report for a particular business need, the AICPA recently introduced a series of three different Service Organization Controls (SOC) reports (SOC 1, SOC 2, and SOC 3) with differing scope and areas of focus. This series of reports encompasses the new SSAE 16 (SOC 1), and adds two new reporting options, SOC 2 and SOC 3. Let’s take a closer look at these new options.
This option generally retains the original purpose of SAS 70. Although the standard includes an additional Management Assertion section within the SOC 1 report and provides clarity with regard to acknowledging “suitable criteria”, this option will be very similar to the current SAS70 report.
Increased use of outsourced services has resulted in a demand by user entities for assurance regarding controls over the systems underlying those services. Unlike an outsourced billing or accounts receivable function, these services may not have a direct and material effect on an entity’s financial statements. As such, the full scope of a SOC 1 may be excessive, or irrelevant, to user organizations. In these instances, SOC 2 Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy is intended to meet that need with appropriate focus and scope.
An example of the applicability of SOC 2 reports is an engagement to report on a service organization’s controls over privacy. Many user entities are required by either law or regulation to maintain the privacy of the information they collect from customers; this requirement does not go away when the data is sourced to a service organization. To address these requirements, management of a user entity may ask the service organization for a service auditor’s report on the effectiveness of its controls over the privacy of the information it processes or maintains for user entities.
Unlike SSAE 16, the primary users of SOC 2 reports generally are not user auditors but rather management of the user entities.
SOC 3 reports are not really new; they have existed as AICPA WebTrust and SysTrust engagements for several years. With the retooling of attestation standards, Web Trust and SysTrust fall into the new SOC framework. SOC 3 reports are designed to meet the needs of users who want assurance on controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but who do not need the detailed description of tests of controls and results included in either a SOC 1 or SOC 2 report.
Unlike a SOC 1 or SOC 2 report, an SOC 3 report may be used by both current AND prospective customers of the service organization.
In addition to a traditional report, a SOC 3 report can be delivered in the form of a seal displayed on the service organization’s website.
If your organization currently has experience with SAS70, we recommend you speak with a CPA firm to determine how to best prepare for this transition. If you have been obtaining a proper SAS70 examination, changes to the examination process should be minimal. With guidance and a well-formed plan of attack, you will be well on your way to a smooth transition to the new standard (and a better overall product).
If you are providing services other than financial reporting services, consider whether obtaining a SOC 2 or SOC 3 report might provide your clients greater assurance regarding your controls and processes, and potentially provide you with a competitive advantage in your industry. If you have any questions regarding service organization controls and reporting, please feel free to contact us.
The IT Consulting Division at Baker Newman Noyes has been providing service organization examination services for more than ten years and is prepared to assist your organization with the implementation of SSAE 16. Please feel free to contact Pat Morin, at 1.800.244.7444 for more information.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.