SAS 70 Is Dead!

Long live SSAE 16 and ISAE 3402!

One of the most misunderstood things about SAS 70 was the fact that it was technically only a valid auditing standard in the United States, even though SAS 70 reports are done for non-US based service providers and are relied upon by businesses and auditors worldwide.  However, on or before June 15, 2011, that will change.  As of that date, Statement on Standards for Attestation Engagements (SSAE) 16 and International Standards on Attestation Engagements (ISAE) 3402 will replace the venerable SAS 70.  SSAE 16 is issued by the American Institute of Certified Public Accountants (AICPA) and ISAE 3402 is issued by the International Federation of Accountants (IFAC).

The good news is that, for the most part, SSAE 16 and ISAE 3402 are essentially the same.  There are a few differences that are important to financial auditors and lawyers, but should not have an impact on people relying on these reports for PCI compliance or other purposes.  What is important is that now, no matter where you are in the world; you can obtain an independent assessment of a service provider’s controls.

There are three different types of AICPA Service Organization Control (SOC) reports.  The SOC 1 (Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting) is what SAS 70 is now referred to and is conducted to the SSAE 16 standard.  The SOC 2 (Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy) and SOC 3 (Trust Services Report for Service Organizations, formerly known as WebTrust) are conducted to Attest Engagements section 101 standards.  The AICPA has indicated that SOC 1, SOC 2 and SOC 3 reports have to be issued as separate reports.

For PCI and other IT or non-financial purposes, the SOC 2 report is the one that should provide you the most benefit as it can include controls relevant to security, availability, processing integrity, confidentiality and/or privacy.  SOC 2 reports must use all or a complete subset of the SOC 3 principles.  While not ITIL, HIPAA, PCI or such, they should be more than adequate to ensure an organization is conducting business to ensure appropriate practices.   Best of all, as with the SOC 1, the CPA firm can issue an opinion as to whether those controls are functioning as designed.  Why is an opinion important?  Because the CPA firm has conducted testing over a given period of time (usually six to 12 months) to ensure that the controls tested functioned as designed for the period of time being audited.  ISO and PCI certifications do not provide such assurances as they are as of a certain date not over a period of time.  Although I understand that ISO is considering changes to their processes that may change their certification processes to be similar to SOC 2.

Unfortunately, financial auditors outside of the United States are, for the most part, unfamiliar with conducting such an assessment of controls.  As a result, they will need time to get up to speed on such attestation engagements.  So those of you outside of the United States need to be patient while the auditors in your country get up to speed.

Guidance on SOC 1 and SOC 2 reports need to be structured is expected by April 2011.  So please do not bug your friendly CPA until after April 2011 regarding these new reporting standards.  The bottom line is that we are expecting to see a lot of SOC 2 reports that will cover ITIL, HIPAA and PCI requirements as part of their testing.  So start asking your service providers now for an SSAE 16 or ISAE 3402 report now so that your service provider can start asking their auditor to prepare such a report.


4 Responses to “SAS 70 Is Dead!”

  1. April 14, 2011 at 10:05 AM

    Great article. We have a similar blog post on our blog about how the new standards affect cloud computing and other hosting solutions:

    SAS 70 is Dead – Long Live SOC 2 and SOC 3

  2. October 20, 2010 at 2:08 PM

    I need to get a SAS 70 Type III certification, what do I do to get the certification? Will I get a seal to put on my company’s web site?

    • October 20, 2010 at 3:07 PM

      SAS 70 is NOT a certification and never has been. A SAS 70 report is an attestation by a CPA firm that the organization complies with their formal, documented policies, standards and procedures they have in place for the services they provide to other organizations. Those services must be material to the financial reporting of the organizations provided the services. As to a type III report, there is no such thing. I am assuming you mis-keyed and meant a type II report. To obtain a SAS 70 type II Service Auditor Report, you need to talk to a CPA firm. And finally, no, you will not get some ‘seal of approval’ for your Web site if you complete a SAS 70 audit as again, it is NOT a certification.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

October 2010

%d bloggers like this: