Since 1992, companies that provide business process outsourcing and data services, also known as service organizations, have utilized Statement on Auditing Standards No. 70 Service Organizations reports, commonly known as SAS 70s, to meet the independent assurance needs of their stakeholders. Customers came to view the SAS 70 report as the de facto standard for independent assessment and assurance of a service organization’s internal control design and operating effectiveness.
Effective June 15, 2011, three new Service Organization Controls (SOC) report options replaced the SAS 70. Service organizations need to consider how the end of the SAS 70 era will affect them, as well as determine which of the new report options will best fit their stakeholders’ needs. Each of the new report options has unique advantages, and what some consider disadvantages, so proper selection of one or more of new report options is imperative. It’s also important to ensure an orderly transition from the old SAS 70 report to the new SOC report options to effectively meet the assurance needs of your stakeholders, including current and prospective customers, business partners, management, and regulators.