SOC Reports Evolution

Firms that use outsourced services know that outsourcing can affect their control over their financial reporting. In the past they used an  AICPA SAS 70 report on their vendors to gain assurance over their financial control. It was designed for purely financial matters.

But there are other issues for users of outsourced services.  For some time those issues were squeezed into the SAS70 framework.

Because of this, the AICPA and CICA discontinued the SAS70 report in 2011. They created separate audit reports that address effects on financial reporting (SOC 1), and reports that address users’ concerns over security, availability, processing integrity, confidentiality and privacy (SOC 2 and SOC 3).

There are two good, quick video introductions to the evolution of SOC Reports from the AICPA:

Infographic on SOC Reports Evolution

This infographic is a useful summary up to 2012. Note that it excludes the Exposure Draft of change Trust Services Principles that is planned to go live in mid-2014.

Source: AICPA


SOC Reports Evolution from SAS70 Infographic