SOC1 (Service Organization Control 1) and SSAE 16 / SAS70

SAS 70 is over 18 years old and has begun to show its age. It was born before SOX or HIPAA existed, although not before COBIT. Two years ago the AICPA started looking at replacing SAS 70.

The result is SSAE 16, which must be used for any service auditor report that ends on or after June 15, 2010. The new reports on requirements for SSAE 16 get the title Service Organization Control 1 (SOC1).

You now need a SOC to have SOX.

SOC1 differs from SAS70 in the following four ways:

  • Focus: It only is meant to be used when a service organization affects the internal control over financial reporting (“ICFR”) for service users (e.g. tenants)
  • Risk basis: A service organization’s management will have to explain how all aspects of their services and control objectives are reasonable given the risk. They need to identify risks and related control objective in their description and explain how controls are deployed to mitigate the identified risks.
  • Period: The system description must cover the entire period of testing for operational effectiveness, rather than just the close of the period of operational effectiveness
  • Assertion: The report is an attestation standard rather than just audit. A service organization’s management will provide a detailed assertion for the auditors. This documented assertion is included with the SOC 1 report.

SOC1 is just the start. SOC2 comes next. Like a SAS 70 it intends to meet the need of customers with regard to governance over service organizations. Unlike a SAS 70 it is meant to address operations and risk outside the internal financial controls. Service providers, in other words, should use a SOC2 instead of SOC1. SOC 3 is a lighter version — lacks the detailed test results of a SOC 2 — meant for a general audience.

SOC2 is based on the Trust Services Criteria (previously known as SysTrust and WebTrust criteria). It will give guidance with a SAS70-like report and criteria/objectives, which controls should meet when they are put in place. It is meant to cover risk categories of Confidentiality, Integrity and Availability.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.