SOC Services – High Tech Issues have gone through a substantial change recently. In the past, SAS 70 reports encompassed financial reporting controls, operational controls, and compliance controls. SSAE 16 SOC 1 reports, which have effectively replaced SAS 70 reports, will be prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 SOC 1 reports can no longer be used for any other purpose except for reporting on the system of internal controls relating to internal control over financial reporting. For reports that are not specifically focused on internal controls over financial reporting, the AICPA has issued an Interpretation under AT Section 101 permitting service auditors to issue reports. These reports will now be considered SOC 2 or SOC 3 reports and focus on controls at a service organization relevant to the following principles:
- Security: The system is protected against unauthorized access, use, or modification;
- Availability: The system is available for operation and use as committed or agreed;
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized;
- Confidentiality: Information designated as confidential is protected as committed or agreed; and
- Privacy: The system’s collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service organization’s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA.
Many companies undergoing a SOC 1 or SOC 2 audit for the first time choose to perform a Readiness Assessment prior to undergoing the Type I or Type II audit.