3 Kids and Us

Different Types of Accounting Reports and When You Need Them According to Scott Tominaga

by

The SAS 70 Report was recently changed by the American Institute of Certified Public Accountants (AICPA). Mainly, they added new guidance that relates specifically to service organizations. This change came into force on June 15, 2011 and professionals like Scott Tominaga.

Originally, the SAS 70 Report was designed to ensure auditors could communicate about assertions in financial statements. However, it quickly started to become almost like a certification, designating availability, security, and more in the world of financial reporting. Because there are no significant risks in organizations, many of which are outside of financial reporting, new reports were needed as well.

What the AICPA decided to do, was create an alternative so that those who use third-party services could remain focused on the key issues at hand, being:

  • Privacy.
  • Confidentiality.
  • Availability.
  • Processing integrity.
  • Security.

All of these issues were place into the new Service Organizational Control (SOC) reports. Three versions of them now exist, SOC 1 through 3, and each has a unique purpose.

Three SOC Reports Explained by Scott Tominaga

  1. SOC 1

This report looks at the controls within service organizations as this relates to the entities of users who have internal control of financial reporting. SOC 1 is compliant with the Statement on Standards for Attestation Engagements (SSAE) 16.

  1. SOC 2

This report also looks at the control within service organizations. However, this report is specific to privacy, confidentiality processing integrity, availability, and/or security. This follows a number of set criteria and determines whether organizational operations are fully compliant.

  1. SOC 3

This report is different because, while it still relates to service organizations, it is the SysTrust report. This means it is similar to SOC 2, but it focuses particularly on basic trust services. It does not look into more details and tests. The SOC 3 can also be added as a seal on a website.

How Reporting Has Changed

Because of the new standards, reporting contents have changed significantly, as has the process itself. This means that organizations can now set themselves apart as being more relevant to their clients. Any service organization must describe what their system is, and this goes into far more details than the original SAS 70 did. In fact, it must include details about:

  • Technology.
  • Processes.
  • People.
  • Transaction classes.
  • A written assertion that indicates management is fully responsible for how the system works and according to which evaluation criteria.

How to Choose a SOC Report

When you choose a SOC, you have to consider who will read it, what they will use the report for, and why. Ask yourself whether auditors will require the results and whether they need to know what test results you had and what your controls were. You need to know, basically, how much detail they require. Transitioning from SAS 70 to SOC is quite a lot of work, but that is why there are professionals like Scott Tominaga who are there to explain it all.

Recent Posts

Write For Us

Like What You See?

We left our home in Sydney, Australia many moons ago in May 2012 and, other than a brief stint back in Perth for Christmas and a wedding in early 2014, we have been travelling the world nomadically ever since, running a business from our laptops and we’re here to show you how to do it!