Long live SSAE 16 and ISAE 3402!
One of the most misunderstood things about SAS 70 was the fact that it was technically only a valid auditing standard in the United States, even though SAS 70 reports are done for non-US based service providers and are relied upon by businesses and auditors worldwide. However, on or before June 15, 2011, that will change. As of that date, Statement on Standards for Attestation Engagements (SSAE) 16 and International Standards on Attestation Engagements (ISAE) 3402 will replace the venerable SAS 70. SSAE 16 is issued by the American Institute of Certified Public Accountants (AICPA) and ISAE 3402 is issued by the International Federation of Accountants (IFAC).
The good news is that, for the most part, SSAE 16 and ISAE 3402 are essentially the same. There are a few differences that are important to financial auditors and lawyers, but should not have an impact on people relying on these reports for PCI compliance or other purposes. What is important is that now, no matter where you are in the world; you can obtain an independent assessment of a service provider’s controls.
There are three different types of AICPA Service Organization Control (SOC) reports. The SOC 1 (Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting) is what SAS 70 is now referred to and is conducted to the SSAE 16 standard. The SOC 2 (Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy) and SOC 3 (Trust Services Report for Service Organizations, formerly known as WebTrust) are conducted to Attest Engagements section 101 standards. The AICPA has indicated that SOC 1, SOC 2 and SOC 3 reports have to be issued as separate reports.
For PCI and other IT or non-financial purposes, the SOC 2 report is the one that should provide you the most benefit as it can include controls relevant to security, availability, processing integrity, confidentiality and/or privacy. SOC 2 reports must use all or a complete subset of the SOC 3 principles. While not ITIL, HIPAA, PCI or such, they should be more than adequate to ensure an organization is conducting business to ensure appropriate practices. Best of all, as with the SOC 1, the CPA firm can issue an opinion as to whether those controls are functioning as designed. Why is an opinion important? Because the CPA firm has conducted testing over a given period of time (usually six to 12 months) to ensure that the controls tested functioned as designed for the period of time being audited. ISO and PCI certifications do not provide such assurances as they are as of a certain date not over a period of time. Although I understand that ISO is considering changes to their processes that may change their certification processes to be similar to SOC 2.
Unfortunately, financial auditors outside of the United States are, for the most part, unfamiliar with conducting such an assessment of controls. As a result, they will need time to get up to speed on such attestation engagements. So those of you outside of the United States need to be patient while the auditors in your country get up to speed.
Guidance on SOC 1 and SOC 2 reports need to be structured is expected by April 2011. So please do not bug your friendly CPA until after April 2011 regarding these new reporting standards. The bottom line is that we are expecting to see a lot of SOC 2 reports that will cover ITIL, HIPAA and PCI requirements as part of their testing. So start asking your service providers now for an SSAE 16 or ISAE 3402 report now so that your service provider can start asking their auditor to prepare such a report.