January 18, 2011

A new look for SAS 70 Compliance! Are you prepared?

By Ben Osbrach, National Risk Advisory Leader

A new look for SAS 70 Compliance! Are you prepared? System Organization Controls - SOC 1, SOC 2 and SOC 3

What is SAS 70?

SAS 70– is an internationally recognized third party assurance audit designed for service organizations. It has become the most widely accepted compliance initiative that provides service organizations a benchmark to compare their internal controls and processes against industry best practices. Statement on Auditing Standards No. 70 (SAS 70) was originally created in 1992 and over the past five to ten years become globally recognized as one of the highest forms of third party assurance. SAS 70 audits have become the global de facto standard in third party information security assurance. The passage of laws like Sarbanes-Oxley (SOX) has sparked other countries to re-evaluate their own forms of SOX regulations; driving companies to enter a new realm of oversight and regulations related to third party assurance. The Public Company Accounting Oversight Board provided guidance with regards to companies that are required to comply with SOX and how to evaluate the risk of outsourcing services to third party vendors. Within this guidance they indicated that a company could utilize a SAS 70 Type II audit to evaluate their vendor’s control environments, igniting the SAS 70 era for service organizations.

Why the change?

Statement on Auditing Standards No. 70 (SAS 70) has rapidly become a known standard worldwide and its own publicity is ultimately the cause for change. Well it is inevitable that things change, but the new standards that will replace SAS 70 comes with additional standards and more responsibility of the service organization.

The International Auditing and Assurance Standards Board (IAASB) felt a need for a common auditing standard to address the varying differences in each countries audit requirements. As a result the IAASB formed and issued the International Standard on Assurance Engagements (ISAE) 3402 ‘Assurance Report on Controls at a Service Organization’ on December 18, 2009. ISAE 3402 is not a means to replace country specific standards (i.e. SAS 70) but to provide reporting option to address current limitations. The American Institute of Certified Public Accountants (AICPA) has recently updated the SAS 70 audit to more closely align the standard with ISAE 3402; the new standard is Statement on Standards for Attestation Engagements No.16 (SSAE 16) ‘Reporting on Controls at a Service Organization’ and will become effective on June 15, 2011 (earlier adoption is permitted).

A common misunderstanding of SAS 70 audits over the past years is that a company that undergoes a SAS 70 becomes SAS 70 certified. This is not the case, but rather a perception over the past years. Another popular misperception is that a SAS 70 audit is a security audit and is supposed to be used to ensure the confidentiality and privacy of customers information.

The SAS 70 audit scope is only relevant for service organizations that provide a service that could impact their clients reporting of financial statements. Therefore a company that is just housing private or confidential data does not necessarily qualify for a SAS 70 audit. Due to these misperceptions, the IIASB’s new standard ISAE 3402, and the ever growing need for third party assurance over service organizations; the AICPA is not only creating the new SAS 70 (SSAE 16) but is attempting to redo the entire face of service organizations audits. The AICPA is rebranding their SAS 70, SysTrust and WebTrust audits and the new brand will fall under three different Service Organization Control (SOC) reports (SOC 1, SOC 2 and SOC 3).

The three different SOC reports are design to not only cover the current need of SAS 70 audits but to assist organizations in understanding the appropriate audit for their company.

  • SOC 1 report is an engagement performed under SSAE 16 in which a service auditor reports on controls at a service organization that may be relevant to user entities’ internal control over financial reporting.  A type II report contains a detailed description of the service auditor’s tests of controls and results.
  • SOC 2 report is an engagement performed under the AT section 101 and is based on the existing SysTrust and WebTrust principles. This report will have the same options as the SSAE 16 report where a service organization can decide to go under a Type I or Type II audit, but instead of the audit being based on internal controls over financial reporting the audits purpose will be to report on the service organizations information systems relevant to security, availability, processing integrity, confidentiality, or privacy. The criteria for these engagements are contain in the Trust Services Principles Criteria and Illustrations.
  • SOC 3 report is an engagement that is performed under AT section 101 as well and is also based on the criteria contain in the Trust Services Principles Criteria and Illustrations. However, the SOC 3 report does not contain a description of the service auditor’s test and results like the SOC 1 and 2 reporting options. These reports are general use reports and fall under the SysTrust and WebTrust seal programs. Clients that obtain a SOC 3 report can obtain a SysTrust or WebTrust seal to place on their website as long as they maintain compliance (successfully complete a SOC 3 report every 12 months).

So what is changing in SSAE 16:

New reporting requirements

SSAE 16 comes with two new reporting requirements for your service auditor. The first falls only under a Type II report option requiring that the auditors opinion state that the design of controls were in place during the entire reporting period. Previously the opinion only required that they sign off on the design of controls as of the last day in the audit period. The other new requirement under SSAE 16 indicates that a service organization must provide a description of the service organizations system, where SAS 70 only required a description of controls. Including a description of a system in addition to the current description of controls requirement can be a much more daunting task. Many organizations already cover this requirement; however there are a number of reports issued over the past years with very limited descriptions of the organizations information systems.

New Requirements for Service Organizations

The new standard for service auditors will fall under the “attestation” standards instead of the “auditing” standards. Due to this change the service auditor’s report will change from its current form to require additional responsibilities for management at the service organization. This will affect the service organization by requiring them to present a written assertion statement to support the attest services. AND WHAT EXACTLY DOES THAT MEAN: simply put, now management signs a statement agreeing that the report is true and accurate to the best of their knowledge. However to provide a full picture we have outlined these requirements below:

  • The addition of an assertion statement for the SSAE 16 audit forces management to have a reasonable basis to support their assertion. It will be prudent of management to ensure that their statement is accurate and they have covered all necessary procedures in order to mitigate the risk of asserting inaccurate information. This is why management needs to perform the necessary procedures in accordance with SSAE 16 to form a basis for their assertion statement.

Basis for Assertion

  • Management needs to have a formalized and documented monitoring process in order to support their assertion statement. Example of monitoring activities includes:
  • Monitoring activities may provide evidence for control activities (assesses effectiveness over time)
  • Can be ongoing monitoring or separate evaluations, or combination of the two
  • Could include Internal Audit or ongoing monitoring for information provided by external parties (regulators, customers, etc.)
  • Consider risks to achieving objectives and how management would identify failures
  • Management should perform an annual risk assessment:
  • Formal or informal process for evaluating risks and likelihood of achieving the control objectives
  • Assists with the evaluation of controls and assessing management’s process and basis for assertion

How can service organizations prepare?

  1. Start communication with your auditor and user organizations.
  2. Identify the needed changes to your current SAS 70 audit.
  3. Assess how this will impact your compliance efforts and develop a plan NOW!

How is ISAE 3402 or SSAE 16 going to affect service organizations?

  1. Service organizations are going to be required to sign off on an assertion indicating that management confirms that their control activities were operating effectively.
  2. Service organizations are going to need to perform an assessment of their controls (monitoring procedures) in order to sign off on their assertion.
  3. A full description is now required for processes and controls covered in your SAS 70 audit report (many organizations already cover this requirement; however there are a number of reports issued over the past years with very limited descriptions).
  4. A risk assessment over the scope of your audit to determine the adequacy of your controls.

It is highly recommended that organizations start preparing for the upcoming changes to the SAS 70 audit standard. Some organizations may face significant road blocks on completing future engagements after the changes to the SAS 70 audit standard become effective.