What is AT Section 101? This seems to be a question that many people are asking these days and for good reason. AT Section 101 has become increasingly relevant for reporting on controls at service organizations due to the advent of the AICPA Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2, and SOC 3 reports. While SOC 1 reporting, which uses the SSAE 16 professional standard, is geared toward reporting on controls relevant to financial reporting, SOC 2 and SOC 3 reports are designed for reporting on controls other than those likely to be relevant to user entities’ internal control regarding financial reporting (i.e., controls outside that of financial reporting).
In short, SOC 2 and SOC 3 reports are to be issued under the AT Section 101 attest standard, while SOC 1 reports are to utilize the SSAE 16 attest standard. Please note it is expected that in early 2011, the American Institute of Certified Public Accountants (AICPA) will be issuing accompanying "audit guides" for both the SSAE 16 and AT Section 101 standard for helping assist practitioners when conducting engagements.
Understanding the "Attestation" Element of Auditing
So what specifically is AT Section 101, which stands for "Attestation Standards" as put forth in section 101 of the codification standards? You'll first need to gain a technical understanding of what "Attestation Standards" are along with what "section 101" is. To begin, "Attestation Standards" are a series of general provisions and requirements that provide overall guidance along with a broad-based framework for the accounting and auditing profession for the purposes of providing "attest" services to organizations. In the world of public accounting, the term "attest" is generally regarded as that of asserting to, affirming to, and expressing an opinion on specific subject matter. The "Attestation Standards" serve as further guidance and support for the larger and ever-growing professional services being provided by CPAs today outside the traditional financial statement auditing arena. More simply stated, accountants are not just conducting financial statement audits or preparing tax returns, rather, they are increasingly involved in many other areas of general assurance services, for which there needs to be a meaningful, relevant, and broad-based framework to rely upon.
General Provisions regarding an Attest Engagement
• An attest engagement is to be performed by a practitioner that has adequate training in the actual attest function being performed, adequate knowledge of the subject matter and that the subject matter at hand is actually capable of being evaluated against suitable and available criteria.
• The practitioner is to be independent in fact and in mental attitude when conducting an assurance engagement and due care should be used in planning, performing, and supervising the engagement.
• The practitioner should adhere to the provisions set forth for Standards of Fieldwork and for Standards of Reporting, as may be relevant, for which you can learn more about at the Public Company Accounting Oversight Board, simply known as the PCAOB.
Regarding "section 101", which is the section number within the codification standards, it is essentially a section that provides a framework for "attest" engagements performed by practitioners. Moreover, this section applies to engagements in which a certified public accountant (CPA) in the practice of public accounting is engaged to issue or does in fact issue an examination, a review, or an agreed-upon procedures report on subject matter, or an assertion about a particular subject matter.
AT 101 and SOC 2 - Huge Growth Expected
AT Section 101 will play a pivotal role in reporting on controls at service organizations due to the large and ever-growing number of entities in today's "cloud computing" and technology business sectors. Organizations providing Software as a Service (SaaS), managed services, cloud computing, and hosts of other technology related services may most likely be issued SOC reports under the AT Section 101 attest standard.
Moreover, the audit guide that will be used for reporting on controls outside that of financial reporting for service organizations undergoing an engagement in accordance with AT Section 101 is the following: "Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy". As stated earlier, this audit guide is to be issued in early 2011. To discuss or learn more about AT Section 101, SSAE 16, ISAE 3402 and the AICPA SOC framework and what type of Service Auditor Reports your organization will most likely need for compliance, please contact us today or speak directly with Christopher Nickell, CPA, of NDB Accountants & Consultants, LLP at 1-800-277-5415-ext. 706 or email NDB at firstname.lastname@example.org today.