Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Targeted Security Assessments
Targeted Security Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility

Who's on First in Service Organization Reporting?

SOC | WebTrust | SAS 70 | SysTrust | Assurance / Service Audits

Remember the famous Abbott and Costello bit from the 1930’s known as “Who’s on First?” That classic scene often comes to mind when I think of CPAs explaining all of the changes to the attestation standards to their clients. I envision CPAs around the country having comical conversations like the following:

CPA: Client, as you know, the SAS 70 standard will be replaced by the SSAE 16 standard in June 2011.

Client: How do we need to prepare for the upcoming audit?

CPA: Well, first we need to finalize an agreement for your SOC 1 report.

Client: You mean SSAE 16?

CPA: Correct. What did I say?

Client: You said SOC 1.

CPA: Right, the SOC 1 report is for the SSAE 16 examination.

Client: Then why didn’t you just call it an SOC 1 examination to begin with?

CPA: For the same reason I didn’t call it AT 801 examination.

Client: AT 801? I just want an SSAE 16 examination!

CPA: I know. That’s what I’ve been trying to tell you.

Just as the general public was making good progress towards replacing “SAS 70” with “SSAE 16” in its vernacular, the AICPA announced its Service Organization Control (SOC) reporting series (i.e., SOC 1, SOC 2, and SOC 3). Under this system, SOC 1 reports are SSAE 16 examinations. SOC 2 examinations are, in short, examinations performed under AT section 101 in which a service auditor reports on controls at a service organization that are relevant to security, availability, processing integrity, confidentiality, and/or Privacy. SOC 3 is the new term for Trust Services reports (i.e., WebTrust and SysTrust).

Why another layer of terms? According to the AICPA’s recent alert, titled Service Organizations: New Reporting Options—2010/11, the reporting series is designed “to make practitioners aware of the various professional standards available to them for examining and reporting on controls at a service organization, and to help practitioners select the appropriate standard and related report for a particular engagement”. However, many practitioners worry that the SOC terminology will actually confuse consumers by giving virtually every service organization reporting standard a second, or even third, common name. For example, SSAE 16 is now synonymous with SOC 1, which is also synonymous with AT section 801.

Of course, there is no certainty as to whether the general public will ever embrace the new SOC reporting nomenclature. Perhaps they will prefer more intuitive terms, such as SSAE 16, ISAE 3402, WebTrust, SysTrust, and AT 101, over the use of SOC reporting categories. What we do know is that practitioners are best served by selecting a preferred set of terms and utilizing those terms consistently in the months and years ahead when presenting changes to the attestation standards to clients.

About CHRIS SCHELLMAN

Chris Schellman is the CEO and Founder of Schellman & Company, LLC, which is an accredited CPA Firm, PCI QSA Company, ISO 27001 Registrar, FedRAMP 3PAO, and a HITRUST CSF Assessor. He began his career focusing on IT audits and SAS 70’s and has now contributed to nearly 2,000 SOC examinations.