SAS 70 Is Dead!

Long live SSAE 16 and ISAE 3402!

One of the most misunderstood things about SAS 70 was the fact that it was technically only a valid auditing standard in the United States, even though SAS 70 reports are done for non-US based service providers and are relied upon by businesses and auditors worldwide.  However, on or before June 15, 2011, that will change.  As of that date, Statement on Standards for Attestation Engagements (SSAE) 16 and International Standards on Attestation Engagements (ISAE) 3402 will replace the venerable SAS 70.  SSAE 16 is issued by the American Institute of Certified Public Accountants (AICPA) and ISAE 3402 is issued by the International Federation of Accountants (IFAC).

The good news is that, for the most part, SSAE 16 and ISAE 3402 are essentially the same.  There are a few differences that are important to financial auditors and lawyers, but should not have an impact on people relying on these reports for PCI compliance or other purposes.  What is important is that now, no matter where you are in the world; you can obtain an independent assessment of a service provider’s controls.

There are three different types of AICPA Service Organization Control (SOC) reports.  The SOC 1 (Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting) is what SAS 70 is now referred to and is conducted to the SSAE 16 standard.  The SOC 2 (Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy) and SOC 3 (Trust Services Report for Service Organizations, formerly known as WebTrust) are conducted to Attest Engagements section 101 standards.  The AICPA has indicated that SOC 1, SOC 2 and SOC 3 reports have to be issued as separate reports.

For PCI and other IT or non-financial purposes, the SOC 2 report is the one that should provide you the most benefit as it can include controls relevant to security, availability, processing integrity, confidentiality and/or privacy.  SOC 2 reports must use all or a complete subset of the SOC 3 principles.  While not ITIL, HIPAA, PCI or such, they should be more than adequate to ensure an organization is conducting business to ensure appropriate practices.   Best of all, as with the SOC 1, the CPA firm can issue an opinion as to whether those controls are functioning as designed.  Why is an opinion important?  Because the CPA firm has conducted testing over a given period of time (usually six to 12 months) to ensure that the controls tested functioned as designed for the period of time being audited.  ISO and PCI certifications do not provide such assurances as they are as of a certain date not over a period of time.  Although I understand that ISO is considering changes to their processes that may change their certification processes to be similar to SOC 2.

Unfortunately, financial auditors outside of the United States are, for the most part, unfamiliar with conducting such an assessment of controls.  As a result, they will need time to get up to speed on such attestation engagements.  So those of you outside of the United States need to be patient while the auditors in your country get up to speed.

Guidance on SOC 1 and SOC 2 reports need to be structured is expected by April 2011.  So please do not bug your friendly CPA until after April 2011 regarding these new reporting standards.  The bottom line is that we are expecting to see a lot of SOC 2 reports that will cover ITIL, HIPAA and PCI requirements as part of their testing.  So start asking your service providers now for an SSAE 16 or ISAE 3402 report now so that your service provider can start asking their auditor to prepare such a report.

Advertisement

SAS 70 and PCI

One of the most misunderstood standards is the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards number 70 (SAS 70).  I intend to explain this standard and show how it can be applied to the PCI compliance process.

It is important to understand that the SAS 70 is a financial accounting standard and is considered an attest service in the audit community.  As an attest service that means that the auditor issues an opinion regarding the control environment.  This attestation is not a certification such as those an organization gets for ISO.  The SAS 70 standard was developed so that financial auditors did not have to go out and conduct an audit of every outsourcer that a client might use.  This saves the outsourcer of having multiple audits conducted mostly in the last quarter of the year.  However, being a financial audit standard, it does not have to cover everything that you will need to complete your PCI compliance process.  Even with the SAS 70 report, you will likely have to go back to the outsourcer with additional questions.

A key point about SAS 70 is that there must be a material financial impact to your company in order to justify a SAS 70 report from an outsourcer.  This is why outsourcers such as those that process your organization’s payroll or serve up your financial software will have a SAS 70, but your telecommunications provider or the company that monitors the security of your facilities likely does not have a SAS 70.  As a result, not every outsourcer will have to provide your organization a SAS 70 report.

A SAS 70 can come in two varieties, Type I and Type II.  A SAS 70 Type I report only attests to the description of the outsourcer’s control environment.  The auditor conducts no independent testing of the control environment and therefore does not express an opinion on whether or not the control environment is functioning properly.  For PCI compliance a Type I report is worthless, as you need the testing to have any chance of using the report.  A Type II report will have a section devoted to the tests that were conducted to confirm that the control environment is functioning properly and the outcome of those tests.  However, since the testing in a Type II report will be focused on key financial controls that do not necessarily involve PCI, a Type II report may also be worthless to your PCI compliance efforts.

Just like its financial audit report brethren, there is a correct way to read a SAS 70.  The first thing you should read is the cover letter to the report, otherwise known in auditing circles as the opinion letter.  The opinion letter will tell you the locations reviewed, the time span of the report, whether the report is a Type I or a Type II and whether or not there were material issues found during the audit.

The locations reviewed are very important.  If your organization is hosted out of the outsourcer’s data center Q and it was not reviewed in the SAS 70 report, then you need to get the SAS 70 report that covers data center Q.  Unlike the PCI ROC, which covers an organization’s compliance at a given point in time, a SAS 70 report is for a period of time known as the opinion period.  The opinion period can be as little as three months and typically as much as 12 months.  Most SAS 70 reports are for opinion periods of six to 12 months.  For financial auditors, they can only accept SAS 70 reports that cover all or part of their audit client’s financial audit period.  For PCI compliance, it is up to you to determine if you are willing to accept the SAS 70 report.  If you have a QSA conducting your assessment, it is up to the QSA to accept the report.

The opinion letter will not expressly use the terminology of Type I or Type II.  To determine the type of SAS 70 report, you will need to read the letter and look for where it says, “We did not perform procedures to determine the operating effectiveness of controls for any period” or similar wording.  That will indicate that the report is a Type I and is not usable for you PCI compliance.

There are three opinions that an auditor can provide; unqualified, qualified and adverse.  An adverse opinion is the worst and means that the control environment is not operating as designed and the controls cannot be relied upon.  I have never seen an adverse opinion ever publicly issued, but you need to be aware that it does exist.  A qualified opinion means that some controls are not operating as designed.  The opinion letter will document those controls that failed and why they failed.  The best opinion, unqualified, means that the control environment is functioning as designed and that none of the controls failed testing.  Remember, just because an outsourcer gets an unqualified opinion, does not mean that the controls operate that way all of the time.  It just means that the auditor through their testing techniques was not able to observe any conditions that would indicate that the controls were not functioning.  The phrase ‘reasonable but not absolute assurance’ is how auditors refer to the ability of their testing to detect any flaws in the control environment.  What this means is that they construct their tests such that there is a high likelihood that any flaws in the controls can be detected, but that these testing procedures are not perfect.

Once you have read the opinion letter, you need to read the testing section to see if the controls that you need for your PCI compliance were tested and if the tests are ones that are relevant to your PCI compliance.  The most common tests that everyone needs are related to physical security and environmental controls at the data center. All of these are necessary for all outsourcers.  Additional control testing will be required if your outsourcer provides services beyond just housing your technology, so you will be interested in controls surrounding those additional services.  Many organizations are now adding PCI, Gramm Leach Bliley Act (GLBA) and Sarbanes Oxley (SOX) tests to their SAS 70 reports to help their customers meet the majority of their compliance requirements.  This is a relatively new practice and the adding or changing tests can radically affect the price of an organization’s SAS 70 report, so it is still rare to find many of the controls tested for these other compliance areas.

When reviewing the control tests, the auditor will usually mark the test as “No Relevant Exception Noted” if the test was passed.  In cases where an issue was noted, the issue will be documented.  If the issue is determined to not be systemic, it will typically be noted in the testing notes and will not result in a qualification.  If a single issue is deemed by the auditor to be systemic or a group of issues lead the auditor to believe there is a failure of controls, then a qualification will be generated.  A qualification is not an indication of a bad organization; a qualification just indicates an area that requires improvement.  However, depending on the controls qualified, you may feel that your outsourcer has issues in meeting their PCI compliance obligations.

The final area that should be reviewed is a section labeled ‘User and User Auditor Considerations’.  Not all SAS 70 reports have such sections but those that do are typically invaluable to the user organization.  This section describes the controls that your organization needs to have in place and functioning in order for the outsourcer’s control environment to function as described in the SAS 70 report.  This is similar to the purpose of the Implementation Guide required in the PA-DSS.  Without this section, your organization would not know its responsibilities for creating complimentary controls so that the controls in place at the outsourcer remain functional and effective.

Entire books have been written on the SAS 70 process.  I hope that I have given you an eye into the process and how you can use it to reduce the amount of work to meet your PCI compliance.

UPDATE: It was announced in February 2010 that the SAS 70 standard will be superseded by SSAE 16 in the United States and by ISAE 3402 internationally.  From a user and user auditor standpoint, these new auditing standards do not change much from the SAS 70, so what is stated here still is valid.  See my new post entitled SAS 70 Is Dead for more information on SSAE 16 and ISAE 3402.