Who's on First in Service Organization Reporting?
SOC | WebTrust | SAS 70 | SysTrust | Assurance / Service Audits
Remember the famous Abbott and Costello bit from the 1930’s known as “Who’s on First?” That classic scene often comes to mind when I think of CPAs explaining all of the changes to the attestation standards to their clients. I envision CPAs around the country having comical conversations like the following:
CPA: Client, as you know, the SAS 70 standard will be replaced by the SSAE 16 standard in June 2011.
Client: How do we need to prepare for the upcoming audit?
CPA: Well, first we need to finalize an agreement for your SOC 1 report.
Client: You mean SSAE 16?
CPA: Correct. What did I say?
Client: You said SOC 1.
CPA: Right, the SOC 1 report is for the SSAE 16 examination.
Client: Then why didn’t you just call it an SOC 1 examination to begin with?
CPA: For the same reason I didn’t call it AT 801 examination.
Client: AT 801? I just want an SSAE 16 examination!
CPA: I know. That’s what I’ve been trying to tell you.
Just as the general public was making good progress towards replacing “SAS 70” with “SSAE 16” in its vernacular, the AICPA announced its Service Organization Control (SOC) reporting series (i.e., SOC 1, SOC 2, and SOC 3). Under this system, SOC 1 reports are SSAE 16 examinations. SOC 2 examinations are, in short, examinations performed under AT section 101 in which a service auditor reports on controls at a service organization that are relevant to security, availability, processing integrity, confidentiality, and/or Privacy. SOC 3 is the new term for Trust Services reports (i.e., WebTrust and SysTrust).
Why another layer of terms? According to the AICPA’s recent alert, titled Service Organizations: New Reporting Options—2010/11, the reporting series is designed “to make practitioners aware of the various professional standards available to them for examining and reporting on controls at a service organization, and to help practitioners select the appropriate standard and related report for a particular engagement”. However, many practitioners worry that the SOC terminology will actually confuse consumers by giving virtually every service organization reporting standard a second, or even third, common name. For example, SSAE 16 is now synonymous with SOC 1, which is also synonymous with AT section 801.
Of course, there is no certainty as to whether the general public will ever embrace the new SOC reporting nomenclature. Perhaps they will prefer more intuitive terms, such as SSAE 16, ISAE 3402, WebTrust, SysTrust, and AT 101, over the use of SOC reporting categories. What we do know is that practitioners are best served by selecting a preferred set of terms and utilizing those terms consistently in the months and years ahead when presenting changes to the attestation standards to clients.
About CHRIS SCHELLMAN
Chris Schellman is the CEO and Founder of Schellman, which is an accredited CPA Firm, PCI QSA Company, ISO 27001 Registrar, FedRAMP 3PAO, and a HITRUST CSF Assessor. He began his career focusing on IT audits and SAS 70’s and has now contributed to nearly 2,000 SOC examinations.