In response to market demand and changing business practices — particularly outsourcing and the transition to cloud computing — the American Institute of CPAs (AICPA) in 2010 issued new auditing standards and audit guides that replaced the decades-old SAS 70 standards and audit guide. The new standards and audit guides, called Service Organization Control (SOC) reports, build on SAS 70 and focus on the misuse of SAS 70 reports for non-intended assurance purposes, align reporting with international standards, and provide more reporting options to address non-financial transaction and reporting subject matter and assurance needs. These new standards went into effect for all reports issued after June 15, 2011. Learn why these changes are important to not-for-profits.

1. November 2012
MHMMessenger
TM
M AY E R H O F F M A N M C C A N N P. C . – A N I N D E P E N D E N T C PA F I R M
A publication of the Professional Standards Group
Evolving Business Practices Spur Transition from SAS 70 to SOC Reports
In response to market demand and changing business control issues related to these activities and execute
practices — particularly outsourcing and the transition careful due diligence and oversight of the vendors
to cloud computing — the American Institute of CPAs providing these services, not-for-profits should get up
(AICPA) in 2010 issued new auditing standards and to speed on SOC 2 reports, which are growing more
audit guides that replaced the decades-old SAS 70 common.
standards and audit guide. The new standards and
audit guides, called Service Organization Control SAS 70 History
(SOC) reports, build on SAS 70 and focus on the
misuse of SAS 70 reports for non-intended assurance Introduced in 1992, SAS 70 arrived at a time when
purposes, align reporting with international standards, outsourcing was in its infancy. Organizations were
and provide more reporting options to address non- just beginning to outsource some key tasks, such
financial transaction and reporting subject matter and as payroll, but for the most part still handled their
assurance needs. These new standards went into primary IT processes in house. Still, outsourcing
effect for all reports issued after June 15, 2011. even a small fraction of tasks brought concern about
how those processes were performed by a third-
Why are these changes important to party organization. SAS 70 was developed to assist
not-for-profits? external auditors in planning audits of their clients’
financial statements when the clients used third-party
Not-for-profits have long outsourced payroll and service providers for financial transaction processing
pension recordkeeping so they are well acquainted and reporting services and functions.
with SAS 70 reports. For these purposes, not-for-
profits will now receive SOC 1 reports instead of SAS As outsourcing became more widespread and
70 reports. While similar, there are some significant organizations were paying closer attention to corporate
differences in these reports, which are addressed later governance, SAS 70 was being relied upon for uses
in this Messenger. beyond the scope of its original design, which was as
an external auditor-to-auditor communication on the
More significantly, many not-for-profits have recently fair presentation, design, existence and operation
begun to outsource other functions as well, and at the of financial transaction processing and reporting
same time are exploring cloud-based hosting for some controls. With the introduction of Software as a Service
systems, email and document storage. To address (SaaS), cloud computing and the proliferation of data
privacy laws and regulations, SAS 70’s shortcomings
became even more apparent. Organizations and their
clients that have embraced SaaS and the cloud have
demanded — and under certain laws and regulations
our roots run deep TM (Continued on Page 2)
© 2 0 1 2 M A Y E R H O F F M A N M C C A N N P . C . 877-887-1090 • www.mhm-pc.com • All rights reserved.

2. MHMMessenger
(Continued from Page 1)
are legally responsible for obtaining — greater These restricted-use reports address the controls at
assurance about the security, confidentiality, privacy, a service organization related to financial transaction
availability and processing integrity of their service processing and reporting likely to be relevant to a
providers. customer’s external auditor in planning the company’s
financial statement audit. These reports are not
As SAS 70 was never intended to address these designed or intended for promotional purposes, for use
concerns it became clear that. SAS 70 was not an by prospective customers, or to address non-financial
adequate examination and reporting method for transaction and reporting controls, such as security,
meeting the evolving variety of assurance needs, so privacy, or regulatory compliance. The applicable
new, more robust and appropriate standards were professional standard is SSAE 16, Reporting on
developed. Controls at a Service Organization. While similar to
SAS 70, SSAE 16 introduces several key differences,
About SOC Reports including:
There are three types of SOC reports that address • Attestation Standard: These standards are
assurance for service organizations. According to specifically designed to address guidance and
the AICPA, “each type of report has an accepted requirements for examining and reporting on other
professional standard under which the audit will be subject matter than financial statements, such as
performed to allow for a common nomenclature when controls and compliance.
referring to reports going forward while allowing for a
more frequent update of the professional standards.” • Focuses on a Service Organization’s “System
of Controls”: Where the SAS 70 audit standard
The new SOC reports provide a framework for CPAs to focused on the service organization’s specified
examine controls and to help management understand control objectives and controls and allowed
the related risks of outsourcing to a service provider. service organizations to customize the scope,
The new standards will eliminate the common but the revised standard focuses on the controls that
faulty practice of using SAS 70 to issue reports on a service organization implements to prevent, or
controls related to outsourced non-financial functions detect and correct, errors, as well as omissions in
and data rather than the correct attest standard. SOC the transaction processing and information that a
reports clarify specifically which standard needs to be service organization provides to its customers.
used and how it should be implemented.
• Management Must Provide Assertion: Similar to
Overview of the three types of SOC reports SOX Section 302, management must provide an
and related professional standards assertion report taking ownership for a description
of the system of controls, design and operation of
SOC 1 reports are restricted reports intended controls, and risk assessment and criteria used to
as auditor-to-auditor communication and direct establish the control objectives and controls.
replacements for SAS 70s.
(Continued on Page 3)
© 2 0 1 2 M A Y E R H O F F M A N M C C A N N P . C . 877-887-1090 • www.mhm-pc.com • All rights reserved.

3. MHMMessenger
(Continued from Page 2)
• Establishes Requirements for Subservice and analysis services, printing and mailing services,
Providers to be Included in the Report and data repositories, etc. The applicable professional
Tested Controls: In order to include controls at standards are AT 101, Attestation Engagements
subservice organizations (companies that provide and TSP 100 Trust Services Principles, Criteria and
services to the service organizations, such as a Illustrations.
third-party data center for hosting systems and
a bank for lockbox and automatic clearinghouse When evaluating SaaS or cloud outsourcing providers,
transfer processing), the subservice organization not-for-profit executives should take into account the
must also provide a management assertion report information in a SOC 2 report, as well as responses to
and description of its system of controls, and have a series of targeted questions, such as:
the auditor test its controls.
• What is your service level agreement for uptime
• International Alignment: SSAE 16 and related access to the software?
SOC1 reporting were aligned with the comparable
international auditing and reporting standards. • What is your disaster recovery/business continuity
plan?
• Description of Control System for the Entire
Examination Period: Under SAS 70, the • What is your uptime and outages?
description needed to be a fair presentation of the
controls as of the end of the examination period, • How do you communicate problems, outages and
such as December 31. Under SSAE 16 and SOC1, fixes to your customers?
the description must fairly describe the system of
controls for the entire examination period, including • How are backups implemented and how long is
all changes. data kept?
SOC 2 reports address issues stemming from • Who has access to the data and the hardware on
non-financial controls regarding information. which it is running?
These reports are designed to meet the needs of a • How is redundancy implemented within the
broader range of users, including knowledgeable environment? (Do you have spare disk drives,
prospective customers of the service. The reports can servers, power supplies, Internet circuits? Do you
be used to provide assurance on security, availability, have another data center to switch to in the event
processing integrity, confidentiality and privacy your main data center becomes unavailable?)
related to the provided services based on the AICPA’s
Trust Services Principles and Criteria and Generally SOC 3 reports provide for brevity.
Accepted Privacy Principles. These reports also can
be used for non-financial transaction processing These reports are also based on the Trust Services
and reporting services, such as cloud computing, Principles and Criteria and Generally Accepted
data center hosting, SaaS, email services, database Privacy Principles as with SOC 2. However, SOC 3
(Continued on Page 4)
© 2 0 1 2 M A Y E R H O F F M A N M C C A N N P . C . 877-887-1090 • www.mhm-pc.com • All rights reserved.

4. MHMMessenger
(Continued from Page 3)
are short-form reports that can be publicly distributed Organizations can choose to use SOC 2 or SOC 3
and posted on a service organization’s website or reports depending on what type of assurance they are
through the AICPA/CICA’s WebTrust Seal program trying to achieve. Essentially, an organization looking
and site. SOC 3 reports contain a general description to provide a higher level of assurance to the public
of the service and system of controls, management’s would choose SOC 3 reports while an organization
assertion reporting, and the auditor’s opinion as to aiming to provide deeper assurance to their clients
whether the management-specified Trust Services would probably choose SOC 2 reports. In some
Principle in the assertion report met the related Trust cases, organizations may elect to do both a SOC 2
Services Criteria during the examination period. As and a SOC 3 audit to address the concerns of dual
with SOC 2, the applicable professional standards are audiences.
AT 101, Attestation Engagements and TSP 100 Trust
Services Principles, Criteria and Illustrations. For More Information
Because SOC 3 reports are short-form reports that For more information on how these new SOC reports
exclude reporting on the detailed controls and related may impact your organization’s financial reporting,
testing and results, service organizations that rely on due diligence oversight of service organizations and
controls at subservice organizations or customers to assurance requirements, please contact Michelle
meet any applicable trust services criteria can’t obtain Spriggs or your MHM professional. Michelle can be
a qualified opinion unless the report includes assertion reached at mspriggs@cbiztofias.com or 774.206.8336.
reports and descriptions of the control systems from
the subservice organizations and customers, and the
auditor tests these controls. Therefore, they are only
appropriate for some organizations.
The information in this MHM Messenger is a brief summary and may not include all the details relevant to your situation.
Please contact your MHM service provider to further discuss the impact on your financial statements.
© 2 0 1 2 M A Y E R H O F F M A N M C C A N N P . C . 877-887-1090 • www.mhm-pc.com • All rights reserved.