SOC Reports Evolution
Firms that use outsourced services know that outsourcing can affect their control over their financial reporting. In the past they used an AICPA SAS 70 report on their vendors to gain assurance over their financial control. It was designed for purely financial matters.
But there are other issues for users of outsourced services. For some time those issues were squeezed into the SAS70 framework.
Because of this, the AICPA and CICA discontinued the SAS70 report in 2011. They created separate audit reports that address effects on financial reporting (SOC 1), and reports that address users’ concerns over security, availability, processing integrity, confidentiality and privacy (SOC 2 and SOC 3).
There are two good, quick video introductions to the evolution of SOC Reports from the AICPA:
- Video Introduction to SOC Framework (AICPATV 5mins Jan 2011)
From AICPA President introducing how and why of SOC reporting and the replacement of SAS 70.
- Video Introduction to SOC Reports (AICPATV 5 mins May 2011)
Another introduction to how and why of SOC reporting and the replacement of SAS 70, and the introduction of SSAE 16 and SOC 1.
Infographic on SOC Reports Evolution
This infographic is a useful summary up to 2012. Note that it excludes the Exposure Draft of change Trust Services Principles that is planned to go live in mid-2014.