The SAS 70 Audit Standard is Changing! Are you prepared?
By Ben Osbrach, National Risk Advisory Leader
Statement on Auditing Standards No. 70 (SAS 70) has rapidly become a known standard worldwide and its own publicity is ultimately the cause for change (about time). Well it is inevitable that things change, but the new standards that will likely replace SAS 70 audit comes with more flexibility and more responsibility of the service organization.
The International Auditing and Assurance Standards Board (IAASB) felt a need for a common auditing standard to address the varying differences in each countries audit requirements. As a result the IAASB formed and issued the International Standard on Assurance Engagements (ISAE) 3402 ‘Assurance Report on Controls at a Service Organization’ on December 18, 2009. ISAE 3402 is not a means to replace country specific standards (i.e. SAS 70) but to provide reporting option to address current limitations. The AICPA is in the process of updating SAS 70 audit to more closely align the standard with ISAE 3402, the new standard is likely going to be SSAE 16 and will become affective in June 2011.
Why the change?
The two major factors for the SAS 70 audit standard change is the restricted scope to financial relevant control objectives and the lack of a global standard.
- Why is the limited scope of financial relevant control objectives a limitation? The SAS 70 audit standard states that a SAS 70 audit is to only cover items that could have a financial impact on the customers of services organizations and does not currently include other contractual responsibilities that a service organization may be responsible for; including but not limited to SLAs, Disaster Recovery and regulatory compliance. Service Organizations who wish to adopt the new ISAE 3402 or when SSAE 16 comes into effect services organizations will have the option to include control objectives that align with their responsibilities to customers. This includes adding service level agreements, disaster recovery, regulatory compliance requirements, etc.
- What is causing the lack of a global standard? Service organizations are providing services to customers that may be located in different parts of the world and each country has their own unique audit standard. This has become a problem because a single standard cannot be used to cover all of your customer’s requirements and this has led to many organizations having to complete more than one audit. Currently there are a number of different standards, to name a few are Canada’s CICA 5970, UK’s AAF 01/06, AU’s GS007, JP’s Audit Standards committee report No. 18. Although countries will still have their own reporting requirements it is expected that standards such as SAS 70 will more closely be aligned with ISAE 3402 in the future.
How can service organizations prepare?
- Start communication with your auditor and user organizations.
- Identify the needed changes to your current SAS 70 audit.
- Assess how this will impact your compliance efforts and develop a plan NOW!
How is ISAE 3402 or SSAE 16 going to affect service organizations?
- Service organizations are going to be required to sign off on an assertion indicating that management confirms that their control activities were operating effectively.
- Service organizations are going to need to perform an assessment of their controls (monitoring procedures) in order to sign off on their assertion.
- A full description is now required for processes and controls covered in your SAS 70 audit report (many organizations already cover this requirement; however there are a number of reports issued over the past years with very limited descriptions).
- A risk assessment over the scope of your audit to determine the adequacy of your controls.
It is highly recommended that organizations start preparing for the upcoming changes to the SAS 70 audit standard. Some organizations may face significant road blocks on completing future engagements after the changes to the SAS 70 audit standard become effective.