As part of the AICPA Auditing Standards Board's Clarity Project, Statement on Auditing Standards No. 70 (SAS 70), Service Organizations, will soon be replaced by Statement on Standards for Attestation Engagements No. 16 (SSAE 16). In conjunction with the change, the AICPA has introduced a new framework of three Service Organization Control (SOC) reporting options that address market demands and reinforce the profession's commitment to the public interest. By several measures, the migration from the longstanding SAS 70 standard to the SOC framework presents several distinct opportunities for CPAs to support their clients. This article discusses ways in which these changes, in conjunction with other developments in the marketplace, can be leveraged into opportunities for CPAs to expand their service capabilities and grow their businesses.
Background on the Changes
SAS 70 was originally published in April 1992 and, until the split of the standard into both an auditing standard and attest standard (SSAE 16) relating to the execution of a third party service organization report, SAS 70 had not been significantly amended or changed. Shortly after the release of SSAE No. 16, the AICPA established a new framework for SOC reporting options (SOC 1--or SSAE 16--and SOC 2 and SOC 3). Factors that underpin the AICPA's decision to introduce this new SOC framework include:
* The need for clarity as it pertains to SOC reports used in support of financial audits.
* Lessons learned from implementation of the Sarbanes-Oxley(SOX) Act.
* Evolutions in technology and other emerging solutions offered by service organizations.
* Recognition of the loss of the "brand" and global acceptance related to SAS 70.
In recent years, there has been a growing concern that SAS 70 reports were broadening and covering subject matters that were not relevant to a user auditor conducting a financial audit of a user entity. Due in large part to increasing demands that many service organizations were receiving from their clients to demonstrate adherence to a long list of other standards and/or regulatory requirements such as the Health Insurance Portability and Accountability Act, COBIT and ISO, the scope of an alarming number of SAS 70 reports extended into areas that were not relevant to a financial audit. Concerns began to grow that the incorporation of scope not originally contemplated nor addressed by the SAS 70 standard could potentially be misunderstood by report recipients, and reporting on subject matter not addressed by the correct AICPA standard could represent risk to CPAs and the accounting profession in general. These concerns fueled the need for clarifications related to examination-level reports on service organization controls when the purpose is to...