The AICPA Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2 and SOC 3 reports, represents a significant milestone in reporting on controls at service organizations, and one that many felt was long overdue. SAS 70, a well-known and globally recognized auditing standard that was put forth in 1992, became the only real essential mechanism used for third-party reporting on service organizations for approximately the last 18 years. Sure, there were other country and region specific standards, but none of them equaled the status and notoriety of SAS 70. As such, the standard became widely used, but it also strayed heavily from its original intent as that of reporting on controls related to internal control over financial reporting.
Add to the fact that the dynamics of service organizations had drastically changed and a new international standard for reporting on controls was born, known as ISAE 3402, it became quite apparent that the AICPA had to make comprehensive changes to SAS 70. In short, enter the SOC reporting framework, along with SSAE 16 and AT Section 101, and exit the long-standing SAS 70 standard.
To be fair, the AICPA was well-aware of the changing landscape of service organizations, such as the rise of cloud-based computing, the migration towards international accounting standards (such as ISAE 3402) and the overall need to revamp an antiquated and misused auditing standard (SAS 70). In fact, the AICPA and the International Federation of Accountants (IFAC) worked together in a collaborative fashion, as witnessed by the striking similarities these two new standards (SSAE 16 and ISAE 3402) represent for reporting on controls at service organizations.
With that said, it's important to gain a comprehensive understanding of the AICPA Service Organization Control (SOC) reporting framework, what it is and what it means to you as a service organization. As stated earlier, there are three (3) reporting options under the new SOC framework; SOC 1, SOC 2 and SOC 3. Probably the single-most important aspect to understand is that the SOC framework represents the AICPA's keen understanding of the complexities that have evolved over the last two decades for service organizations and the need to provide auditors with tools to meet the growing compliance demands of these organizations. As such, the AICPA’s revamping of reporting on controls for service organizations from that of a single, antiquated standard (SAS 70) to a new comprehensive framework (SOC) will forever change the reporting requirements for service organizations.
SOC 1 reports are to be utilized for service organizations reporting on controls relevant to internal control over financial reporting (ICFR). SOC 2 reports will be utilized for reporting on controls for the growing list of I.T. related organizations, such as cloud computing, Software as a Service (SaaS), managed services, along with data centers, just to name a few. SOC 3, similar in framework to that of SOC 2, will also likely be used for I.T. related service organizations, ultimately resulting in a general use report available to the public.
Very quickly, it seems like phrases such as SOC 1, SOC 2, SOC 3, SSAE 16, and AT Section 101 can become quite confusing. Get the facts and speak to an expert. Call Chris Nickell, CPA, directly at 1-800-277-5415, ext. 706 or email Chris at .
Author: Charles Denyer