What is an SAS70 Report?

SAS70 (Statement of Accounting Standards No. 70) was developed nearly 20 years ago by the American Institute of CPAs (AICPA) as a standard audit approach for service companies to use with their customers instead of customers individually auditing the services companies. There was a SAS70 Type I and SAS70 Type II audit. The Type I audit was designed to assess the sufficiency of the service companies controls as of a particular date and the Type II audit was design to assess the effectiveness of the controls as of a certain date. So the Type I looked at the companies controls to see if they we sufficient and properly designed while Type II actually tested the controls to see if they were effectively working as designed.

Organizations using third-party service companies, particularly in any area with a compliance exposure, relied on SAS70 Type II audit reports of every service provider as an extension of their own governance and compliance program. CIO’s specifically were expected to incorporate SAS70 Type II audit reports in all IT service provider contracts under their vendor management programs in order to fulfill their compliance requirements.

SSAE 16 the SAS70 Replacement

SSAE 16 (Statement on Standards for Attestation Engagements No. 16) Reporting on Controls at a Service Organization is the next evolution in examining a service provider’s controls and rendering an opinion for the provider’s customers. Also referred to as Service Organization Controls (SOC) SSAE 16 includes a number of improvements in the examination of service providers which will benefit CIO’s and customers of IT service companies who found the SAS70 Type II audit reports lacking.

Like the SAS70, SSAE 16 is to be used when an entity outsources “a business task or function and the data resulting from that task of function is incorporated in the (customer’s) financial statements.” This creates broad applicability to a significant number of service providers from payroll providers, data center collocation providers, IT outsourcing and managed services companies, managed hosting providers, and an ever increasing array of cloud services providers.

SSAE 16 vs. SAS70

The main differences can be summarized in 5 main comparisons which are described in detail in the AICPA SSAE 16 FAQ’s:

Attestation vs. Audit: AICPA believe the examination of service providers was more of an “attest” activity than that of an “audit” and saw fit to move it under the SSAE attestation program leaving the SAS for accounting audit activities of financial statements.

System: Service providers must now describe their “system” whereas under SAS70 they only had to address the controls.

Management Assertion: The management of the service provider is now required to provide a written assertion about the “system” description and the suitability of design and in the Type 2 engagement the effectiveness of the controls.

Time Period: In a SSAE 16 Type 2 engagement the auditor’s opinion will now cover the effectiveness of controls over a specific “period” verses as of a specific “date.”

Sub-Organizations: Service providers who rely on other service providers for some or all of the “system” must now address their own service providers. This is done by including them in the “system” description and all that follows, or excluding them from it but providing an attestation on how they monitor the effectiveness of their controls.

SSAE 16 Tips

SSAE 16 Certification: SSAE 16 is NOT a certification. Instead it is an attestation as of a specific date. Service providers should not be representing they are SSAE 16 “certified” or SSAE 16 “compliant”. This is unchanged from SAS70.

SSAE 16 Applicability: SSAE 16, just like SAS70, should not be used as an examination of controls other than those over financial reporting. That doesn’t mean IT controls which underlie financial reporting are not a proper use.

Sufficiency for You: An IT service provider SSAE 16, just as before under SAS70, may not mean the control’s design effectiveness or their operational effectiveness are sufficient for your organization’s control objectives. CIO’s must read the SSAE 16 report and decide for themselves if the service provider’s represents an undue risk or not and how your vendor management addresses anyone who is not.

Contract Provision: CIO’s must ensure all service providers, especially IT service providers, contracts include requirements for annual SSAE 16 audits reports to be provided as part of the contract. Additionally, it is advisable to retain the right to audit or test IT controls at your own discretion which should include vulnerability scans.

What About You: A large number of colleges and universities provide a significant amount of IT services to third parties who are affiliates, stakeholders or tenants. Chances are those services include services in accounting, payroll, human resources, and other areas using the colleges ERP system and possibly payment systems. In all likelihood that makes you an IT service provider and your customer may come asking for an SSAE 16.

Status of Your Vendors: By now you should have begun receiving SSAE 16 audit reports from you service providers who had previously provided SAS70 reports. For those providers whose “system” is difference than their “controls” they must go back and conduct the SSAE 16 audit now. For your vendors who have not previously provided SAS70 audit reports, now is a good time to update your vendor management program and start requesting the SSAE 16.

Ask Your Auditor: I am a firm believer CIO’s should have regular meetings with their CFO and external auditors as part of maintaining the relationship and keeping the lines of communication open. CIO’s should view their external auditors as a resources for questions before it is too late. And now that SSAE 16 is out, this is a good topic to meet with them and solicit their view on your list of service providers.

This new law is speeding through Congress and imposes new, higher standards for corporate IT security with stiff penalties for non-compliance.

To see the regulatory future today, simply visit this link to see the details of the Personal Data Privacy Act of 2005 introduced by Senators Arlen Specter and Patrick Leahy.

This is Congress’ response to recent lapses in IT security by ChoicePoint and LexisNexis where over 40 million U.S. credit card holders’ personal information was stolen due to lax IT safeguards.