Pub. 2 2011 Issue 2

summer 2011 21 from the AICPA, “SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.” There are many similarities with SOC 1 and SAS 70 engage- ments including: • Two types of reports are available: Type 1 and Type 2. An opinion is issued on both types of reports. • The purpose of the engagement is to report on the internal controls over financial reporting used in the completion of financial statement audits of user entities. • The report is a restricted use report (user entity and the user auditor) – not to be distributed to potential customers. While there are similarities, there are some significant differ- ences with SOC 1 and SAS 70 engagements: • SAS 70 engagements were conducted under the audit standards while a SOC 1 engagement is conducted under the attest standards. • The SOC 1 report under SSAE 16 requires a description of the system from the service organization while the SAS 70 required a description of controls - more detail and informative description of the service organization is anticipated. • Management of the service organization must provide a written assertion to the service auditor regarding (should be on the service organization letterhead): • The description fairly presents the service organization’s system • The control objectives are suitably designed and operating effectively • The criteria used for making the assertions were in place and consistently applied • The subservice organization (i.e. check processing company for internet banking or payroll, etc.) reporting requirements are more extensive and may require a description from the subservice organization. • For SAS 70 Type 2 report, the report date was as of a specified date. With the SOC 2 report under SSAE 16, the test of operating effectiveness (Type 2 report) is for a period of time. These changes could have a significant effect on the SOC 1 report issued under SSAE 16. One misconception you may have heard over the past 19 years, was that an organization was SAS 70 certified. With the release of SSAE 16, the AICPA specifically noted that there is no such thing as being SAS 70 certified and there will be no such certification under SSAE 16 either. The SSAE 16 service auditor reports are for periods ending on or after June 15, 2011 (early adoption being acceptable). SOC 2 engagements (Reports on Controls at a Service Organi- zation Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy) are conducted under the AT Section 101, Attest Engagements, of SSAE’s. SOC 2 reports are similar to SOC 1 reports – both can be a Type 1 or Type 2 report and pro- vide a description of the service organization’s system. For Type 2 reports, a description of the tests conducted are also included. There are some differences including: • SOC 2 reports specifically address one or more of five key system attributes: security, availability, processing integrity, confidentiality and privacy. • The engagements are completed under AT Section 101 as opposed to SSAE 16. • The report is a generally restricted use report - typically to user entity management, practitioners evaluating or reporting on controls at a user entity, user auditors, regulators and others performing services related to the controls at the service organization. • The report is not intended to provide the user auditor with testing of service organization controls that could be a part of or impact the internal controls over a user entity’s financial reporting. Based upon the five key system attributes noted previously, a SOC 2 engagement may provide a user entity with critical in- formation as it relates to the protection of confidential data and privacy of customer information. Conclusion. The SAS 70 report has provided service organiza- tions, user auditors and user entities with valuable information since 1992. However, with the ever changing business and regu- latory environment, changes were necessary. The new report options are designed to provide the users of these reports with a tool to assist them in assessing the control environment for financial reporting and other business / operational areas. n Chris Joseph is a P.L.L.C. Member of Arnett & Foster, P.L.L.C., Certified Public Accoun- tants, in Charleston, West Virginia. ACertified Public Accountant and Certified Informa- tion System Auditor, Mr. Joseph has over twenty-five years experience in information technology audit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601 or through email: chris.joseph@afnetwork.com. There is no such thing as being SAS 70 certified and there will be no such certification under SSAE 16 either.