AICPA Publishes Guidance on Next Generation of SAS 70

Cloud computing providers and healthcare claims processors are among the information system service organizations who will benefit from new CPA reporting options developed by the American Institute of Certified Public Accountants.

“The AICPA developed these new Service Organization Control reports in response to marketplace demand,” said Barry Melancon, AICPA president and CEO. “Service organizations have been vocal about their clients wanting assurance that they have effective controls for all their data – not just financial information. These reporting options will help them build that trust with their clients.”

“As accounting firms and their clients increasingly move to the cloud, greater confidence in data security, confidentiality and privacy is needed,” said Erik Asgeirsson, president and CEO of CPA2Biz, a leading cloud solutions provider and subsidiary of the AICPA. “This is a major evolution from SAS 70 that meets the need in the marketplace and will have a substantial impact on CPAs and their clients.”

The AICPA designed the new, illustrative Service Organization Control (SOC) reports to help companies that outsource tasks or functions to third party information system providers, such as Intacct or Salesforce.com. Data security risks require greater due diligence to avoid internal control breakdowns. Melancon provides an overview of how the guidance and reports were developed in an online video.

The new SOC reports, formerly called SAS 70 reports, provide a framework for CPAs to examine controls and to help senior management understand the related risks of outsourcing to a service provider.

Companies had misused SAS 70 to issue reports on controls related to outsourced non-financial data rather than the correct attest standard which was in place. The SOC reports clarify which standard needs to be used and how it should be implemented to meet specific user needs.

  • SOC 1 reports are primarily an auditor-to-auditor communication which addresses the controls at a service organization relevant to financial reporting. These reports are restricted use reports and therefore are not designed for promotional purposes.
  • SOC 2 reports are in response to the rapid growth in cloud computing  and data outsourcing, as well as the marketplace need for clarification on how reports on  non-financial controls regarding information, such as data security, confidentiality and privacy should be structured.
  • SOC 3 reports cover the same subject matter as SOC 2, but in a general use, short form format which may be freely distributed.

Published February 01, 2011 by AICPA