The ever-growing emphasis on governance, risk management and compliance has caused enterprises to focus on internal controls over all aspects of their operations. As part of this focus, many enterprises that outsource functions or processes
(user entity) to a service organization are requiring the service organization to provide evidence of effectiveness of design and operation of its controls to ensure that the organization’s control requirements have been met. This has increased the need for service organizations to provide assurance, trust and transparency over their controls.
Since 1992, the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards (SAS) No. 70 (SAS 70) report has been the primary way that service organizations provided evidence of the effectiveness of the design and operation of their controls that affected customer financial reporting. Over time, however, SAS 70 reports became more than just financial reporting and effective 15 June 2011 this report was superseded by three Service Organization Control (SOC) reports—SOC 1, SOC 2 and SOC 3. The SOC 1 report is prepared in accordance with Statements on Standards for Attestation Engagements (SSAE 16) for reporting on controls relevant to internal control over financial reporting (ICFR), an attestation engagement commonly known as a Service Organization Controls 1 report. The SOC 2 and SOC 3 reports are prepared in accordance
with SSAE’s AT Section 101 and used to report on controls relevant to security, availability, processing integrity, confidentiality or privacy.
A3 Information Security Simplified LLC
Global IT Security & Risk Management Consulting Online for Small and Mid-Market Business