SAS 70 To SOC
Video of
AICPA's Barry Melancon giving an overview of new initiative to assist CPAs with SOC reports.
70 The Next Generation:
Planning for the New Service Organization Standards - A webcast designed to help CPAs understand the changes made to the audit
and attest standards for service organizations.
Cloud Computing: What Accountants Need to Know
Source - JofA - written by ALEXANDRA DEFELICE - Oct. 2010
There's no arguing that “cloud computing” is gaining a great deal of momentum. Worldwide, cloud services revenue is forecast to reach
$68.3 billion in 2010, a 16.6% increase from 2009 revenue of $58.6 billion, according to analyst firm Gartner Inc. So what does this
mean to the accounting profession? What are the benefits and risks? Who are the vendors in the proverbial sky, and how do you know you
can trust them with your data—or your clients' data, for that matter?
This article answers some of those questions and explains the history and future of the cloud.
Read More
Service Organization Control Reports
Service Organizations Control reports are internal control reports on the services provided by a service organization providing valuable
information that users need to assess and address the risks associated with an outsourced service.
Service Organization Controls - Managing Risk by Obtaining a Service Auditor's Report Brochure
SOC reports are designed to help service organizations build trust and
confidence in their service delivery processes and controls through a report by
an independent CPA. Each type of SOC report is designed to help service
organizations meet specific user needs:
SOC 1SM Reports
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
SOC 2SM Reports
Report on Controls at a Service Organization Relevant to Security, Availability,
Processing Integrity, Confidentiality or Privacy.
SOC 3SM Reports
Trust Services Report for Service Organizations.
Free toolkit developed to help CPAs explain SOC Reports to service organizations
- Source: AICPA
A new series of reporting options has replaced the former SAS 70 reports for service auditors. To help explain the new reports to service
organizations, the Institute has developed a free toolkit consisting of a flier, a PowerPoint presentation and an article to feature in
publications or on websites. The flier provides highlights of the three SOC reports and will help you and your clients determine which report
will meet the service organization's needs. The PowerPoint presentation explores the evolution of what formerly were known as SAS 70 reports
and shows how they have adapted to today's marketplace. Written for firms' newsletters, the article summarizes the SOC reports, including the
SOC 2SM Report that enables CPAs to provide assurance on internal controls over subject matter other than financial reporting.
Access the Toolkit.
To learn more,
watch this
video for an overview of SOC 1SM, SOC 2SM and SOC 3SM reports.
In the attestation standards, a CPA performing an attestation engagement ordinarily is referred to as a practitioner. However, for SOC
engagements the term service auditor rather than practitioner is used to refer to a CPA reporting on controls at a service organization and
an user auditor is a CPA who audits and reports on the financial statements of a user entity.
Replacing SAS 70
New standards for engagements involving outsourcing
Source - JofA - written by JUDITH M. SHERINSKY, CPA - Aug. 2010
Guidance for CPAs who audit the financial statements of entities that outsource work to service organizations and those who report on controls
at service organizations is being revamped and relocated.
Since 1992, Statement on Auditing Standards (SAS) no. 70, Service Organizations, has been the source of the requirements and guidance
for CPAs reporting on controls at service organizations and for CPAs auditing the financial statements of
entities that use service organizations to accomplish tasks that may affect
their financial statements. SAS no. 70 has been divided and replaced by two new
standards. One is a Statement on Standards for Attestation Engagements (SSAE)
also known as an attestation standard; the other is a SAS (an auditing
standard). The requirements for reporting on controls at service organizations
has been placed in SSAE no. 16, Reporting on Controls at a Service
Organization (see Official Releases, page 82). The requirements for auditing
the financial statements of entities that use service organizations remains in
the auditing standards in a new SAS, Audit Considerations Relating to an
Entity Using a Service Organization.
Read More
SAS No. 70 Transformed - Changes Ahead for Standard on Service Organizations
Published by AICPA May 04, 2010
Many entities outsource business tasks or functions to other entities. The entity performing the outsourced service is called a service
organization and the entity using that service is called a user entity. Previously, SAS No. 70, Service Organizations, contained
the requirements and guidance for CPAs reporting on controls at service organizations and for user auditors auditing the financial
statements of entities that use a service organization. SAS No. 70 is now being divided into parts and replaced by two new standards.
SSAE No. 16 for Service Auditors
In April, the AICPA Auditing Standards Board issued Statement on Standards for Attestation Engagements No. 16,
Reporting on Controls at
a Service Organization. SSAE No. 16, which provides the requirements and guidance for a service auditor reporting on a service organization's
controls that are relevant to user entities’ internal control over financial reporting, supersedes the guidance for service auditors in SAS No.
70, Service Organizations (AICPA, Professional Standards, vol. 1, AU sec. 324). It is effective for service auditors' reports for periods ending
on or after June 15, 2011. Earlier implementation is permitted.
Read a summary of this new standard.
Clarified Auditing Standard for User Organizations
As part of its
Clarity Project, the ASB also issued Clarified Statement on Auditing Standards,
Audit Considerations Relating to an Entity
Using a Service Organization. This SAS will supersede the requirements and guidance for user auditors in SAS No. 70, Service Organizations (
AICPA, Professional Standards, vol. 1, AU sec. 324), and address the user auditor’s responsibility for obtaining sufficient appropriate audit
evidence in an audit of the financial statements of an entity that uses one or more service organizations. The effective date will be the same
as the other clarified standards, which is no earlier than for periods ending after December 15, 2012 (early implementation is not permitted).
Two Authoritative Guides to Come
In early 2011, two authoritative guides will be released. One, a rewrite of the current SAS No. 70 Service Organizations audit guide,
will provide guidance on examining and reporting on a service organization's controls that are relevant to user entities' internal control over
financial reporting. The other guide will provide guidance on examining and reporting on a service organization's controls over subject matter
other than financial reporting, such as security, availability, processing integrity, confidentiality or privacy of user entities'
information or operations.
Resources to Help CPAs
Recognizing the complexity of the topic, the AICPA is developing resources to help members understand and implement the new standards.
The AICPA has developed an FAQAQ to explain changes in the standards resulting from the issuance of SSAE No. 16, including moving the
requirements and guidance for service auditors from SAS No. 70 to that SSAE. In addition,
this archived webcastt
held on June 28, SAS
70 the Next Generation: Planning for the New Service Organization Standards, covers SSAE No. 16 and the new Audit Guides.
|