AICPA Publishes Guidance on Next Generation of SAS 70

Cloud computing providers and healthcare claims processors are among the information system service organizations who will benefit from new CPA reporting options developed by the American Institute of Certified Public Accountants.

“The AICPA developed these new Service Organization Control reports in response to marketplace demand,” said Barry Melancon, AICPA president and CEO. “Service organizations have been vocal about their clients wanting assurance that they have effective controls for all their data – not just financial information. These reporting options will help them build that trust with their clients.”

“As accounting firms and their clients increasingly move to the cloud, greater confidence in data security, confidentiality and privacy is needed,” said Erik Asgeirsson, president and CEO of CPA2Biz, a leading cloud solutions provider and subsidiary of the AICPA. “This is a major evolution from SAS 70 that meets the need in the marketplace and will have a substantial impact on CPAs and their clients.”

The AICPA designed the new, illustrative Service Organization Control (SOC) reports to help companies that outsource tasks or functions to third party information system providers, such as Intacct or Salesforce.com. Data security risks require greater due diligence to avoid internal control breakdowns. Melancon provides an overview of how the guidance and reports were developed in an online video.

The new SOC reports, formerly called SAS 70 reports, provide a framework for CPAs to examine controls and to help senior management understand the related risks of outsourcing to a service provider.

Companies had misused SAS 70 to issue reports on controls related to outsourced non-financial data rather than the correct attest standard which was in place. The SOC reports clarify which standard needs to be used and how it should be implemented to meet specific user needs.