SAS 70 OR SSAE SIXTEEN OR SOC - WHICH REPORT IN THE EVENT YOU USE?

SAS 70 or SSAE sixteen or SOC - Which Report In the event you Use?

SAS 70 or SSAE sixteen or SOC - Which Report In the event you Use?

Blog Article

Improve Has Arrived

What has actually been referred to as a "SAS 70 Report" is refreshed from the American Institute of Certified Community Accountants (AICPA) with new steering for reporting on company organizations. This assistance changed SAS 70 for stories masking durations ending on or after June 15, 2011.

The initial intent of the SAS 70 report was to talk to auditors about financial statement assertions. With time, SAS 70 morphed into a internet marketing tool; a "certification" for security, availability, along with other assertions unrelated to controls in excess of fiscal reporting. As corporations are getting to be increasingly concerned about dangers past economic reporting, a whole new suite of stories was required to fulfill the requires of such organizations.

The AICPA's response was to offer option options for reviews created to give end users of 3rd-social gathering expert services consolation all-around Those people operational controls applicable to them: stability, processing integrity, availability, confidentiality and privateness. These solutions are encompassed in The brand new AICPA Service Organization Control (SOC) reports. Instead of owning 1 report made for monetary reporting, there now are three versions of a Services Organization Control Report---SOC 1, SOC 2, and SOC three experiences, Each individual serving a definite intent:

SOC one: Report on Controls in a Assistance Group Appropriate to Consumer Entities' Inner Handle above Economic Reporting gives ease and comfort about monetary reporting and transaction solutions; essentially, what a SAS 70 was originally meant to do. SOC one engagements are done in accordance with Assertion on Specifications for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization.

SOC two: Report on how to get soc 2 certification Controls in a Support Firm Pertinent to Safety, Availability, Processing Integrity, Confidentiality and/or Privacy utilizes predefined conditions and handles a number of in the five key system characteristics of stability, availability, processing integrity, confidentiality, and privateness. SOC 2 engagements address controls at the Corporation that relate to functions and compliance.

SOC three: SysTrust for Support Companies Report uses the same characteristics as being the SOC 2 report. The SOC 3 report is a typical-use report that gives only the auditor's report on if the procedure achieved essential rely on services requirements, leaving out the in depth program and screening descriptions. The SOC three report also permits the Corporation to use the SOC 3 seal on its Web-site.

Critical Alterations to Reporting

The new standards alter the articles in the report, along with the reporting process with the provider Business. The required improvements give your Business a possibility to differentiate and to offer improved relevancy to your shoppers. Provider companies are needed to present a description of the process. This description is much more encompassing than the description with the controls necessary by a SAS 70. The new description delivers more details related to the people today, procedures, and technologies set up to realize management's Regulate goals. The description also incorporates more details over the courses of transactions processed. An additional improve would be the requirement which the Business give a prepared assertion that is a critical element of your report. The assertion by administration will indicate its accountability for your precision of the description of the technique and also the analysis requirements for The premise of creating the assertion.

Deciding upon Your SOC Report

When deciding on a Services Group Manage Report (a SOC report), take into consideration your audience. Who will almost certainly use this report and for what goal? Does your viewers incorporate auditors who need information about your controls as well as exam effects, or will a common-use report satisfy their wants?

When you transition from the SAS 70 report to a different SOC report, you will also want to look at your program and the kinds of transactions you method. Responses to these issues can help make sure you prepare the SOC report which most closely fits your organization.

Report this page