Sarbanes-Oxley Compliance: When to ask for a SAS 70 / SSAE 16
NOTE: This blog, originally published in May, 2010, was updated on August 29, 2011, to reflect the replacement of SAS 70 reports with Service Organization Reports (SOCs) prepared under SSAE no. 16 and AT 101.
Until June 15, 2011, SAS 70 reports were conducted to certify the internal controls in place at an outsourced service provider. Independent Accounting firms completed two types of SAS 70 reports. A Type 1 report described the controls as of a particular date, but did not include testing of the effectiveness of the controls; a Type 2 report described the controls and tested of the effectiveness of the controls over a period of time.
Effective June 15, 2011, the SAS 70 reports were replaced by Service Organization Reports (SOCs) 1, 2, and 3.
SOC 1 reports address internal controls over financial reporting at a service organization. They are conducted by an independent auditing firm under auditing standard SSAE no. 16. A Type 1 report describes the controls as of a particular date, but does not include testing of the effectiveness of the controls; a Type 2 report describes the controls and tests of the effectiveness of the controls over a period of time.
SOC 2 reports addresss a service organization's internal controls related to security, availability, processing integrity, and privacy. They are conducted by an independent auditing firm under auditing standard AT 101. A Type 1 report describes the controls as of a particular date, but does not include testing of the effectiveness of the controls; a Type 2 report describes the controls and tests of the effectiveness of the controls over a period of time.
A SOC 3 report is based on the SOC 2 reports. It is a certification that can be used for marketing purposes.
When to ask for a SAS 70/SSAE 16 - SOC 1 Report
A general rule of thumb when it comes to requiring a SAS 70 (now known as a SSAE 16 - SOC 1 Report) from a vendor is if they are holding something of value in trust for your company, then you have the right to ask them for a SSAE 16 - SOC 1 report. An example of holding something of value could be in the form of data (server farm), inventory (logistics center), cash (payroll service (ADP, etc)), stock (Equity Edge, etc.) and so on.
What can I expect to learn from a SSAE - SOC 1 Report?
A SSAE 16 - SOC 1 report will detail the controls over financial reporting available at your vendor's company and whether they have passed or failed testing. It will also detail what controls your vendor expects you to have at your company to ensure they can live up to their end of the bargain, e.g., if you do not encrypt the data being sent to your payroll service provider, they cannot guarantee the safety of that highly confidential information. The information in the SSAE 16 - SOC 1 report will let you know if you should feel comfortable or nervous that they are protecting the assets you are trusting them with.
What to do if your Vendor does not offer a SSAE 16 - SOC 1 report
There isn't a clear answer for this issue. If a vendor is holding a material amount of assets for you and they do not offer a SSAE 16 - SOC 1 report, you will need to implement more internal controls at your company to ensure the vendor is not stealing from you. This could equate to a lot of work and money. I personally would not store highly confidential data or a material amount of cash or inventory with a company who wasn't willing to provide me with a clean Type 2 SSAE 16 - SOC 1 report. There are plenty of vendors out there who are willing to earn your business by proving they are worth doing business with and a Type 2 SSAE 16 - SOC 1 report is a way to demonstrate that commitment to your assets safety.
I received a SSAE 16 - SOC 1 report, now what?
Once you receive a SSAE 16 - SOC 1 report, you must analyze it to determine if your vendor was given a clean report or not (only in a Type 2). You must determine what controls your vendor requires of you (above) and whether or not you have them. You should also review the controls testing to see what, if any deficiencies were found during testing. When it comes to external audits and internal controls testing, your auditors will ALWAYS review your SSAE 16 - SOC 1 report. When you receive one, just signing the top isn't proof that you have reviewed it.
What is a Negative Assurance Memo
Better question, why does it have such a weird name??! A Negative Assurance Memo or Gap Letter is a letter from your vendor that will tell you if any of their internal controls have failed testing between SSAE 16 - SOC 1 reports. SSAE 16 - SOC 1 reports typically span nine-month periods. Because of this, you will need to gain comfort from your vendor that for the last three months of YOUR fiscal year, (not theirs but yours - you need comfort that their controls were working for the entire 12 months of your fiscal year) their controls were working. Because the SSAE 16 - SOC 1 reports typically come out at the same time each year, say March, for instance, then you will need a letter from your vendor stating that either nothing has changed from Jan - Mar or telling you that the sky is falling and it is just another issue you're going to have to deal with...but, at least you'll know!
Can a service provider be SSAE No 16 "Certified"?
In the past it was quite common for a service provider to claim "SAS 70" certification. The truth is, the AICPA, which governs accounting standards, has never implemented a program for certifying internal controls over financial reporting. So there was never a SAS 70 certification, and the AICPA has been quite clear that it will not issue a SSAE No. 16 certification. The only certification program it offers related to internal controls is the SOC 3 report, which is completed in conjunction with SOC 2 reports, and certifies internal controls over security, availability, processing integrity, confideniality or privacy
For more information about the transition to SSAE No. 16, download our tipsheet or visit the AICPA's website and type in SOC 1 Report in the search tool.