Noticeably Different

Print article    Email    Share Subscribe   
BUSINESS INSIGHTS | SPRING 2011 EFFECT

Try Saying ‘SSAE 16’ Five Times Fast

by Mark Eich

It doesn’t exactly roll off the tongue, does it? But talking about SSAE 16 without first mentioning SAS 70 would be a mistake—since few people know what SSAE16 is yet.

Try Saying ‘SSAE 16’ Three Times Fast

SAS No. 70, Service Organizations (commonly referred to as SAS 70) contains the accounting rules that auditors must use when examining a service organization’s internal controls and security practices. Service organizations in this context are outsourced data centers, typically hired by another entity to process confidential transactions or data. For years, the service auditor’s report that came out of this inspection was the de facto standard for reporting on internal controls. However as of June 15, 2011, SAS 70 is history, replaced by SSAE 16.

Although SSAE 16 can be adopted earlier than the June 15 deadline, this news has been slow to catch on. Time and time again I see RFPs that are still requesting a SAS 70 report. Even some of my fellow practitioners are not aware of the change. In part, this is because of the powerful reputation SAS 70 has developed through the years.

In place since 1992, the SAS 70 report has years of industry familiarity. Organizations want to have trust and confidence in third party relationships and a SAS 70 helps establish that trust. For instance, if a hospital sees a SAS 70 report in the credentials of a billing vendor, it gives the hospital a measure of reassurance, given the importance of maintaining patient privacy.

However, a common complaint in the marketplace is the SAS 70 report focuses too much on financial reporting. SSAE 16, which stands for the Statement on Standards for Attestation Engagements, extends the reach of the SAS 70 beyond finance. SSAE 16 reports on other types of controls, such as those related to compliance and operations. Using the hospital-billing example, the new report would extend to the billing vendor’s IT security policy and procedures.

While the SSAE reports are more robust, they require more planning and preparation by both service organizations and auditors.

For service organizations, policies, procedures, and practices need to be formally documented in advance of the reporting period. SSAE 16 will also require service organizations to provide a formal risk assessment.

For auditors, it means they will have to determine the suitability of control design throughout the entire reporting period—not just near the end. This means all material control remediation needs to be completed before the reporting period begins.

Under SSAE 16, service organization management are also required to:

  • Provide an assertion on the design and effectiveness of its internal controls (similar to the assertion provided in audit engagements under Sarbanes-Oxley)
  • Perform due diligence in making this assertion
  • Perform a documented risk assessment that identifies potential threats that the control objectives within the system will not meet
  • Document its system and processes
There are also changes to the report itself:
  • The report must provide a description of the service organization’s “system” which is an expansion of the SAS 70 requirement to describe “controls.”
  • Any use of an internal auditor’s work must be disclosed within the body of the report.
  • The auditor’s opinion about the design, suitability, and effectiveness of controls must span the entire period covered by the report.
Not everything has changed. Some elements of SAS 70 remain in SSAE 16:
  • A SSAE 16 engagement still carries an opinion signed by a CPA, although it is found in the attestation standards (versus the auditing standards).
  • SSAE 16 reports are still designed to be used as auditor to auditor communication.
  • The SAS 70 Type I versus Type II report is unchanged.
  • Control objectives supported by control activities remain the same, although the requirement expands the idea to more holistically describe the “system.”
  • The service organization may still provide other information (such as a description of a disaster recovery or business continuity plan).
  • The treatment of subservice organizations remains largely unchanged (most service organizations will likely choose the “carve out” method).

For service organizations, the pain level of transitioning to the new standards depends in part on what they already have in place. Those that have SAS 70 reports in the past will likely transition to the new standards more easily than will organizations that have never obtained a report.

But even those organizations will have an adjustment period because under SSAE 16, many decisions need to be made well before the reporting period starts.

People are comfortable with SAS 70 because it’s become a familiar term. It will take some time for SSAE 16 to be as recognizable. Maybe we can help brand this new standard if we all agreed to pronounce it as “SAY-16”—easy to remember, right?

Language aside, there is one thing that is abundantly clear: SSAE 16 (SAY 16!) is a much more comprehensive audit than the SAS 70. That’s the one thing everybody should remember.

 

Mark EichMark Eich is the principal-in-charge of information security with LarsonAllen.
meich@larsonallen.com or 612-397-3128

/WorkArea/linkit.aspx?LinkIdentifier=ID&ItemID=9758


Search EFFECT Magazine
Search LarsonAllen
  1. Build a Cyber-Fortress: Eich and Bijnagte Discuss Customer Data Security
  2. Employee Benefit Plan Consulting and Compliance for Small Businesses

  Average 0 out of 5
What else would you like to know about? Send suggestions for future articles.

DisclaimerWeb site terms of usePrivacy policy - Copyright policy

©2012 LarsonAllen LLP Equal Opportunity/Affirmative Action Employer
This site is best viewed with 7.0+ browsers at a resolution of 1024 x 768