• One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor’s Report.
  • SAS 70 has the following report types
    • In a Type I report, the service auditor will express an opinion on control implemented for specific date
    • In a Type II report, the service auditor will express an during on control implemented for  a  period, usually six month.
    • SAS 70, controls are self-defined by service organization and do not have cloud service provider in mind.
  • The SSAE 16 AICPA standard (Now SSAE 18), put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) has effectively replaced the long-standing SAS 70, which was issued in April, 1992.
  • Service Organization Control (SOC) Reports (as in SSAE 18), effectively known as either SOC 1, SOC 2, and SOC 3 Reports, is a comprehensive framework put forth by AICPA geared towards reporting on controls at service organizations. Unlike SAS 70, the SOC framework is a specific set of reporting initiatives aimed at helping to clarify, distill, and bring about much needed transparency for reporting on controls at service organizations.  
error: Content is protected !!