AT 101 Standards Audit

When a company seeks to provide its clients with assurance of its controls that do not affect its clients' internal control over financial reporting, a SOC 2 report is the right choice for auditing internal controls. This audit is a new entry in the audit options for AICPA firms specifically designed to meet the needs of Service Organizations that desire to demonstrate strong internal IT controls and has no direct reporting links to a financial statement. For example, many companies are asked to demonstrate their controls over privacy and security of healthcare or other private information. Previously, organizations were asked to provide a SAS 70 audit, which was the incorrect reporting format. However, the AICPA recognizing the emerging needs of internal control audits without the direct link to financial statements introduced the SOC 2 and SOC 3 audits under the AICPA AT 101 standards. The SSAE 16 audit is the successor to the SAS 70 and if your firm (Company) is interested in a SSAE audit, you may want to visit the link on our website regarding this particular report. A SOC 2 report is an attestation report issued by an independent Certified Public Accounting (CPA) firm which reports on an assertion from management of the Service Organization and its controls. The CPA firm , through rigorous auditing and reviewing of controls, will attest to the accuracy of the controls asserted by management in their formal assertion written specifically for the audit. Much like the old SAS 70 and new SSAE 16 reports, the AT 101 audits also contain either a Type 1 report which reports only on the design of the IT Controls, or a Type 2 report which verifies the controls effectiveness over a specific time period.

A SOC 2 report can be based upon criteria established by management, third parties or industry standards. However, the report must address one or all of the following controls on:

Security

Availability

Processing Integrity

Confidentiality

Privacy

Service Organizations may choose to use any or all of these criteria.

Type 1 SOC 2 Report

A Type 1 SOC 2 examination provides for a report on the fairness of the presentation of management's description of the Service Organization's system and the suitability of the design of controls in meeting the applicable criteria. Much like the SSAE Type 1, it is not a report on the effectiveness of the controls or system, it is a report on the sufficiency of the design of the system or controls.

Type 2 SOC 2 Report

A Type 2 SOC 2 examination provides for a report that is the same as a Type 1 report but also includes (1) the service auditor's opinion on the operating effectiveness of the controls in meeting the applicable criteria and (2) a description of the service auditor's tests of the operating effectiveness of the controls and the results of those tests.