In the past, SAS 70 reports encompassed financial reporting controls, operational controls, and compliance controls. SSAE 16 SOC 1 reports, which have effectively replaced SAS 70 reports, will be prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 SOC 1 reports can no longer be used for any other purpose except for reporting on the system of internal controls relating to internal control over financial reporting. For reports that are not specifically focused on internal controls over financial reporting, the AICPA has issued an Interpretation under AT Section 101 permitting service auditors to issue reports. These reports will now be considered SOC 2 or SOC 3 reports and focus on controls at a service organization relevant to the following principles:
This means many companies which have used SAS 70’s in the past, will now need a SOC 2 report (e.g. managed service providers, Software as a Service (SaaS), cloud computing, etc.).
Many companies undergoing a SOC 1 or SOC 2 audit for the first time choose to perform a Readiness Assessment prior to undergoing the Type I or Type II audit. For more information regarding the benefits of our Readiness Assessment services, please click here.
SSAE 16 Professionals has assembled top tier leadership to help our clients through the SOC 2 process. For further information regarding SSAE 16 reports, or to request a fee proposal from SSAE 16 Professionals, please visit our Contact Us page to submit an informational form or call 1-866-480-9485 today. We look forward to hearing from you!