Executive Summary

Prior to 2011, customers (user entities) who engaged third-party service providers (service organizations) to perform functions and/or processes that impacted the user entities’ internal control over financial reporting (ICFR) typically required Statement on Auditing Standards (SAS) No. 70 Type 2 reports1 from service organization auditors (service auditors) that could be relied upon by the user entities’ management and auditors (user auditors) in discharging management’s responsibilities under the Sarbanes-Oxley Act of 2002 (SOX) and assuring the effectiveness of the user entities’ ICFR. SAS 70 contained the requirements and guidance for both service auditors reporting on controls at service organizations and user auditors auditing the user entities’ financial statements. Statement on Standards for Attestation Engagements (SSAE) No. 162 now provides the requirements and guidance for service auditors in such contexts and to that extent supersedes SAS 70. Going forward, where the service organization’s services affect the user entity’s ICFR, user entities should require in their outsourcing services contracts that service organizations provide Service Organization Control (SOC) 1 Type 2 reports under SSAE 16 rather than SAS 70 Type 2 reports. Additionally, user entities will want to more carefully focus on the limitations of the SOC 1 Type 2 report which, as was also the case with the SAS 70 Type 2 report, addresses only financial reporting and does not address controls over other important matters such as the security, availability, processing integrity, confidentiality or privacy of the user entities’ information or operations handled by the service organizations’ system3 that do not relate to financial reporting. SOC 2 and SOC 3 reports4 (which will be described in a future Legal Alert) will address these elements of the service organizations’ system that do not impact the user entities’ ICFR.