AT Section 101 is a professional standard that all service organizations need to be keenly aware, due in large part to the creation of the AICPA SOC reporting framework, for which both AT Section 101 and SSAE 16 play critical roles in reporting on controls.
In issuing SSAE 16 Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) has been very clear in stating that the intent of actual SSAE 16 itself is for reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting.
Simply stated, if a service provider is performing a task or function or providing a service to another entity, for which it impacts the financial reporting of this entity in some way, then SSAE 16 is applicable. Thus, the scope of the SSAE 16 is still consistent with that of SAS 70 for which it is replacing.
AT Section 101 and SOC 2 Reporting - A Growing Trend
Thus, when reporting on controls other than those likely to be relevant to user entities’ internal control regarding financial reporting (i.e., controls outside that of financial reporting), practitioners should perform an Attest Engagement in accordance with AT Section 101. Therefore, SOC 2 audits are to be the chosen reporting platform for such user organizatoins. Keep in mind that the reasoning for the AICPA to make very clear of the use of AT Section 101 is because the original (and now thankfully defunct) SAS 70 auditing standard strayed heavily from its original use as an auditor-to-auditor standard, and more of that as an internal control audit conducted on almost any conceivable organization. Many service organizations quickly began to obtain SAS 70 Type I and Type II compliance for marketing and business development reasons, often largely ignoring the true technical merit and intent of the auditing standard itself. As such, the AICPA highly recommends that practitioners reporting on controls outside of that of financial reporting should conduct an Attest Engagement, in accordance with AT Section 101.
The AICPA is also very aware of the changes being brought about from technology and has published numerous guides, such as the following: Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
AT Section 101 and SOC 2 Audits - The Preferred Choice for Technology Companies
Expect this guide to be utilized when practitioners issue Attest Engagements under AT Section 101. This guide, along with the issuance of a Service Auditor’s Report under AT Section 101 could become a very-well known audit report in the marketplace as companies possibly move away from the SSAE 16 scope (which is limited to financial reporting) and embrace reporting on controls outside the scope of financial reporting.It’s simply too early to tell as to which of the service organization reporting options will take firm root, resulting in widespread acceptance. With that said, expect SSAE 16, Attest Engagements in accordance with AT Section 101, ISAE 3402 and other country | region specific standards to be the dominant players.
Simply stated, If you’re a technology company, such sa cloud computer vendor/provider, data center, managed services entity, software development shop, data analytics provider – any type of business in the technology space – then SOC 2 Type 1 and SOC 2 Type 2 audits are the preferred choice for compliance reporting. Want to receive a competitive, fixed-fee for SSAE 16 Type 1 and Type 2 compliance? Then contact us today or call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706.