SOC: SAS 70, ISAE 3402, and SSAE 18

SOC may refer to “System or Organization Controls” or “Service Organization Controls.” The former is the control set under examination, while the later is the reporting framework employed after assessments.

SAS 70 established in 1992 is the first standard that provides guidance to enable an independent auditor (“service auditor”) to issue an opinion on a service organization’s description of controls through a Service Auditor’s Report. It was superseded by SSAE 18 in 2017; revisions can be found in section AT-C of the AICPA Professional Standards.

SAS 70 as the US Standard

Statement on Auditing Standards (SAS) No. 70, Service Organizations, was a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).

A service auditor’s examination performed in accordance with SAS No. 70 (also commonly referred to as a “SAS 70 Audit”) represents that a service organization has been through an in-depth examination of their control objectives and control activities, which often include controls over information technology and related processes.

In today’s global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.

In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

Source: SAS 70

ISAE 3402 as an International Standard

International Standard on Assurance Engagements 3402 (ISAE 3402) , titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that prescribes Service Organization Control (SOC) reports, which gives assurance to an organisation’s customers and service users that the service organisation has adequate internal controls.

ISAE 3402 was developed by the International Auditing and Assurance Standards Board (IAASB) and is published by the International Federation of Accountants (IFAC). It was first published in December 2009 with an effective date of June 15, 2011. It supersedes SAS 70 and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls.

It is also known as “Internal Control Framework over Financial Reporting” (ICFR)[citation needed]. The approach is from a financial reporting perspective.

SOC Reports

System and Organization Controls (SOC) assessment is a suite of service offerings that can only be performed by an independent certified public accountant (CPA) per the specific professional standards established by the American Institute of Certified Public Accountants (AICPA), e.g., SSAE 18.

  • SOCs are in connection with system-level controls of a service organization or entity-level controls of other organizations.
  • SOC reports are classified into three categories in terms of applicable standards, controls, and usage of the report: SOC 1 (financial controls), SOC 2 (system and security controls), and SOC 3 (summary of SOC 2).
  • There are two types of SOC reports depending on its timespan of audits. The Type I reports evaluate the effectiveness of the control design (aka a snapshot), while the Type II reports examine the effectiveness of the design and operations for a period of time, typically over six months.

SOC for Service Organizations

Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service

  • SOC 1®— SOC for Service Organizations: ICFR
  • SOC 2®— SOC for Service Organizations: Trust Services Criteria
  • SOC 3® —SOC for Service Organizations: Trust Services Criteria for General Use Report

Source: AICPA


Leave a Reply