The American Institute of CPAs has developed reporting options for organizations that utilize Internet-based services. The new Service Organization Control reports, formerly called SAS 70 reports, are designed to help companies that outsource services or tasks to third parties.
In a prepared statement, the AICPA said that the reports "provide a framework for CPAs to examine controls and to help senior management understand the related risks of outsourcing to a service provider." SAS 70 had been misused, the AICPA said, by companies to issue reports on controls related to outsource non-financial data rather than the correct attest standard which was in place.
The new reports include the following:
SOC 1 reports. Primarily an auditor-to-auditor communication, these address the controls at a service organization relevant to financial reporting. These are restricted use reports, not designed for promotional purposes.
SOC 2 reports. SOC2 is a response to the rapid growth in cloud computing and data outsourcing, They help clarify how reports on non-financial controls regarding information, such as data security, confidentiality and privacy should be structured.
SOC 3 reports. These cover the same subject matter as SOC 2, but in a general use, short form format which may be freely distributed.
