Why SAS 70 Was Replacd

Earlier in the year, SAS 70 was replaced with a new standard - SSAE No. 16 “Reporting on Controls at a Service Organization,” which provides for the issuance of SOC 1 reports, which deal with controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements.

Originally, SAS 70 was intended to be for the use of auditors who report on an organization that used service organizations to administer and run their internal control systems. However, they began to be used widely by IT auditors to report on the IT controls in the systems, and although they weren't intended to be used as general purpose reports, were often widely circulated by organizations who had them carried out to demonstrate their system was well controlled. Often this was for marketing purposes.

Now, service auditor reports for periods ending on or after June 15, 2011are required to conform to the guidance contained in SSAE No. 16. Reports under SSAE No. 16 are referred to as SOC 1 reports, or “Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.”Use of these reports is still restricted to the management of the service organization, user entities and user auditors.

The new standards also provide for SOC 2 and SOC 3 reports. SOC 2 reports are called “Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy” and SOC 3 engagement reports are called “Trust Services Report for Service Organizations.” The latter are available as general purpose reports, which can therefore be released to the public.

The three types of reports are intended to meet the needs that have been indicated for controls based reports, and hopefully will provide IT Auditors with a set of standards that will be useful to them while not compromising the purpose of their reports. For an article on this change, see this link.