ISACA, a global IT association with 100,000 members in 180 countries, teamed up with the American Institute of CPAs (AICPA) to issue a user guide on Service Organization Control ReportsSM  that help evaluate risk, reliability and compliance issues regarding outsourced tasks or functions. The guide, titled SOC 2SM User Guide for Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy, is available at www.isaca.org/SOC2.

 To address issues that went beyond the scope of Statement on Auditing Standards No.  70, the AICPA developed Service Organization Control (SOC) Reports (SOC 1SM, SOC 2SM and SOC 3SM reports), based on technical standards of Statement on Standards for Attestation Engagements (SSAE) No. 16 and Trust Services. In May 2011, the AICPA issued Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (SOC 2), which uses AICPA’s Trust Services Principles and Criteria to report on controls at a service organization. The SOC 2 report provides service organizations and users more flexibility related to compliance and operational reporting controls. It addresses risk of IT-enabled systems and privacy programs beyond the controls necessary for financial reporting.

 “IT auditors need to fully understand the SOC 2SM report, including the standards and guidelines within, to be able to provide thorough and valuable services. This user guide will help IT professionals gain a much deeper understanding of the report, resulting in better reporting and improved controls,” said Floris Ampe, CISA, CGEIT, CRISC, CIA, ISO 27001, PwC, Belgium, chair of the guide’s development team. “The guide will also be helpful to banks, financial institutions and enterprises that need to comply with HIPAA and the US Gramm-Leach-Bliley Act.”

 The SOC 2SM User Guide focuses on the SOC 2 report issued by service organizations relevant to the effectiveness of the design and operation of their controls related to security, availability, processing integrity, confidentiality or privacy. The guide describes service organization reports (SOC 1SM, SOC 2SM and SOC 3SM) and explains:

·         The standards used and the scope of a SOC 2SM report

·         How to determine the user entity’s needs when obtaining a SOC 2SM  report

·         How to communicate the user entity’s needs to the service organization

·         How to interpret the SOC 2SM report provided by the service organization

 “The AICPA issued a guide earlier this year that helps CPAs take full advantage of SOC 2SM engagements,” said Chris Halterman, CPA, executive director at Ernst & Young and chair of the AICPA’s Service Organization Control Reporting Task Force. “This new guide will help users of outsourced services who are evaluating a SOC 2SM report as part of a vendor assessment or other review of controls.”

For information on SOC 2SM User Guide for Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy, visit www.isaca.org/SOC2. For general information on SOC reports, the SOC logo and usage guidelines, as well as an educational and marketing toolkit for service organizations, visit www.aicpa.org/SOC.

 About ISACA

With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

 ISACA continually updates and expands the practical guidance and product family based on the COBIT framework. COBIT helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

 Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center

Follow ISACA on Twitter:  https://twitter.com/ISACANews

Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial   

Like ISACA on Facebook: www.facebook.com/ISACAHQ

 About the AICPA

The American Institute of Certified Public Accountants (AICPA) is the world’s largest member association representing the accounting profession, with nearly 386,000 members in 128 countries and a 125-year heritage of serving the public interest.  AICPA members represent many areas of practice, including business and industry, public practice, government, education and consulting.

 The AICPA sets ethical standards for the profession and U.S. auditing standards for audits of private companies, nonprofit organizations, federal, state and local governments. It develops and grades the Uniform CPA Examination and offers specialty credentials for CPAs who concentrate on personal financial planning; fraud and forensics; business valuation; and information technology. Through a joint venture with the Chartered Institute of Management Accountants (CIMA), it has established the Chartered Global Management Accountant (CGMA) designation to elevate management accounting globally.

 The AICPA maintains offices in New York, Washington, DC, Durham, NC, and Ewing, NJ.

 Media representatives are invited to visit the AICPA Press Center at aicpa.org/press.

 Contacts:

ISACA:

Kristen Kessinger, +1.847.660.5512, This email address is being protected from spambots. You need JavaScript enabled to view it.

Hannah Rafferty, +44 (0) 207 183 2836, Hannah@eskenzipr.com

AICPA:

Jeff May, +1.212.596.6122, This email address is being protected from spambots. You need JavaScript enabled to view it.