This is an auditing standard issued by the AICPA (the American equivalent of the Belgian Institute of Registered Auditors, the IBR/IRE) to govern the financial audit of an entity that uses a service organisation.
This standard created the demand for service organisations to have their service auditor draw up audit reports on their internal controls which are relevant for the financial reporting of the user organisation (the familiar “SAS 70 report”).
This is the equivalent of the SAS 70 issued by the IFAC (International Federation of Accountants). This standard contains guidelines only for the user entity’s auditor, and does not provide any guidelines on drawing up a service audit report.
This assurance (or attestation) standard issued by the IFAC relates to performing Assurance engagements other than the audit or review of historical financial information.
The scope of this standard is thus much broader than that of an SAS 70 report, which is limited to internal controls that are relevant to financial reporting. Under this standard, topics such as confidentiality and privacy can also be addressed (that are not relevant to financial reporting). In addition, the entity need not be a service organisation.
This assurance standard is based on the general ISAE 3000 standard, and relates to the preparation of a service audit report on internal controls that are relevant for financial reporting (as referred to in ISA 402).
The ISAE 3402 is thus the international equivalent of the SAS 70 and replaced the SAS 70 as from 15 June 2011 (see below).
The ISAE 3402 was implemented in the US under the name SSAE 16 and replaced SAS 70 as from 15 June 2011. There are a number of differences between the ISAE 3402 and SSAE 16, but these differences are negligible.
Note that in Belgium there is no local variant of the ISAE 3402; in our reports we refer simply to the ISAE 3402.
SOC 1 is the name usually given in the United States to the SSAE 16 reports (‘SOC 1 report’ is easier to pronounce than an ‘SSAE 16’ or ‘ISAE 3402 report’).
SOC 2 reports are governed by American certification standards (AT section 101, Attest Engagements) and relate to the controls at service organisations that are relevant for information security, availability, reliability of transaction processing, confidentiality or privacy.
The format of a SOC 2 report is equivalent to that of a SOC 1 report; the scope of a SOC 2 report is much broader, however, and is not limited to internal controls that are relevant to financial reporting. A SOC 2 report can also be issued under ISAE 3000.
The scope of a SOC 3 report is identical to that of a SOC 2 report. Whereas the distribution of a SOC 2 report is limited to clients of the service organisation and the parties specified, a SOC 3 report can be distributed publicly. And while a SOC 2 report is in ‘long form’, a SOC 3 report is in ‘short form’.