New Standards for Assessing Risks

As more companies continue to look to external service organizations to provide non-core operational support, auditors have recognized a need for better internal control auditing standards. In the past, the primary audit standard for these external service providers was the Statement on Audit Standards No. 70, better known as SAS 70. In the absence of another internal control audit standard, SAS 70 became the de facto standard for companies seeking assurance that their service provider was secure and well-controlled. Service providers also touted their SAS 70 reports from auditors as though it were a “Good Housekeeping” seal of approval. The main problem was the fact that SAS 70 reports focused only on internal control over financial reporting. They did not provide any assurance on items such as information security, operational control or regulatory compliance.

To fill this vacuum, the American Institute of Certified Public Accountants has developed new standards to replace the outdated SAS 70. Now known as Service Organization Control (”SOC”) reporting standards, these new guidelines provide for three separate and unique reports to address the full complement of internal controls at an external service provider.

The first standard report, SOC 1, essentially replaces the SAS 70 report that focused solely on financial controls. However, SOC 2 and SOC 3 are new reports that will provide opinions on the effectiveness of controls related to operations and compliance. SOC 2 is a restricted use report intended for use between auditors of the service provider and their clients. SOC 3 is a general use report that can be used by the service providers in providing assurance to potential clients as a “seal of approval”.

These new reporting standards become effective June 15, 2011, so the ubiquitous SAS 70 will soon become a relic of the past. More importantly, companies will soon gain a better understanding of how well their service providers are managing their risks.