banner blog v2

Register Below to Receive Updates & Useful Information

Follow Us

Most Popular Posts

Browse by Tag

Posts by Month

Current Articles | RSS Feed RSS Feed

Sarbanes-Oxley Compliance: When to ask for a SAS 70 / SSAE 16

Posted by Teresa Bockwoldt on Wed, May 12, 2010 @ 06:00 PM
  
  
  
  
  

NOTE: This blog, originally published in May, 2010, was updated on August 29, 2011, to reflect the replacement of SAS 70 reports with Service Organization Reports (SOCs) prepared under SSAE no. 16 and AT 101.

Background

Until June 15, 2011, SAS 70 reports were conducted to certify the internal controls in place at an outsourced service provider. Independent Accounting firms completed two types of SAS 70 reports.  A Type 1 report described the controls as of a particular date, but did not include testing of the effectiveness of the controls; a Type 2 report described the controls and tested of the effectiveness of the controls over a period of time.  

Effective June 15, 2011, the SAS 70 reports were replaced by Service Organization Reports (SOCs) 1, 2, and 3.

SOC 1 reports address internal controls over financial reporting at a service organization. They are conducted by an independent auditing firm under auditing standard SSAE no. 16. A Type 1 report describes the controls as of a particular date, but does not include testing of the effectiveness of the controls; a Type 2 report describes the controls and tests of the effectiveness of the controls over a period of time. 

SOC 2 reports addresss a service organization's internal controls related to security, availability, processing integrity, and privacy. They are conducted by an independent auditing firm under auditing standard AT 101. A Type 1 report describes the controls as of a particular date, but does not include testing of the effectiveness of the controls; a Type 2 report describes the controls and tests of the effectiveness of the controls over a period of time. 

A SOC 3 report is based on the SOC 2 reports. It is a certification that can be used for marketing purposes. 

When to ask for a SAS 70/SSAE 16 - SOC 1 Report

A general rule of thumb when it comes to requiring a SAS 70 (now known as a SSAE 16 - SOC 1 Report) from a vendor is if they are holding something of value in trust for your company, then you have the right to ask them for a SSAE 16 - SOC 1 report.  An example of holding something of value could be in the form of data (server farm), inventory (logistics center), cash (payroll service (ADP, etc)), stock (Equity Edge, etc.) and so on.  

What can I expect to learn from a SSAE - SOC 1 Report? 

A SSAE 16 - SOC 1 report will detail the controls over financial reporting available at your vendor's company and whether they have passed or failed testing.  It will also detail what controls your vendor expects you to have at your company to ensure they can live up to their end of the bargain, e.g., if you do not encrypt the data being sent to your payroll service provider, they cannot guarantee the safety of that highly confidential information. The information in the SSAE 16 - SOC 1 report will let you know if you should feel comfortable or nervous that they are protecting the assets you are trusting them with.  

What to do if your Vendor does not offer a SSAE 16 - SOC 1 report

There isn't a clear answer for this issue.  If a vendor is holding a material amount of assets for you and they do not offer a SSAE 16 - SOC 1 report, you will need to implement more internal controls at your company to ensure the vendor is not stealing from you.  This could equate to a lot of work and money.  I personally would not store highly confidential data or a material amount of cash or inventory with a company who wasn't willing to provide me with a clean Type 2 SSAE 16 - SOC 1 report.  There are plenty of vendors out there who are willing to earn your business by proving they are worth doing business with and a Type 2 SSAE 16 - SOC 1 report is a way to demonstrate that commitment to your assets safety. 

I received a SSAE 16 - SOC 1 report, now what? 

Once you receive a SSAE 16 - SOC 1 report, you must analyze it to determine if your vendor was given a clean report or not (only in a Type 2).  You must determine what controls your vendor requires of you (above) and whether or not you have them.  You should also review the controls testing to see what, if any deficiencies were found during testing.  When it comes to external audits and internal controls testing, your auditors will ALWAYS review your SSAE 16 - SOC 1 report.  When you receive one, just signing the top isn't proof that you have reviewed it.  

What is a Negative Assurance Memo

Better question, why does it have such a weird name??!  A Negative Assurance Memo or Gap Letter is a letter from your vendor that will tell you if any of their internal controls have failed testing between SSAE 16 - SOC 1 reports.  SSAE 16 - SOC 1 reports typically span nine-month periods.  Because of this, you will need to gain comfort from your vendor that for the last three months of YOUR fiscal year, (not theirs but yours - you need comfort that their controls were working for the entire 12 months of your fiscal year) their controls were working.  Because the SSAE 16 - SOC 1 reports typically come out at the same time each year, say March, for instance, then you will need a letter from your vendor stating that either nothing has changed from Jan - Mar or telling you that the sky is falling and it is just another issue you're going to have to deal with...but, at least you'll know!

Can a service provider be SSAE No 16 "Certified"?
In the past it was quite common for a service provider to claim "SAS 70" certification. The truth is, the AICPA, which governs accounting standards, has never implemented a program for certifying internal controls over financial reporting. So there was never a SAS 70 certification, and the AICPA has been quite clear that it will not issue a SSAE No. 16 certification. The only certification program it offers related to internal controls is the SOC 3 report, which is completed in conjunction with SOC 2 reports, and certifies internal controls over security, availability, processing integrity, confideniality or privacy 

For more information about the transition to SSAE No. 16, download our tipsheet or visit the AICPA's website and type in SOC 1 Report in the search tool.

Tags: , , , , ,

Comments

Posted by Michael Hammer  
 
My personal opinion is that SAS 70s Type 2 reports should always be viewed with skepticism. In many cases the Accounting firm/Auditor generating the report does not have a thorough understanding of technology and relies heavily on what the client provides 
 
An example of this is a Type 2 report that was provided by a potential vendor not long ago which the vendor was trying to use as documentation of PCI compliance. There was a section referencing a "penetration vulnerability scan" to document compliance for penetration testing. This turned out to be quarterly scans by an ASV - yet the Accounting firm had provided a letter of PCI compliance that was based in part on the SAS 70 Type 2 report which the same firm accounting firm had provided. 
 
As with many other things, caveat emptor. A SAS 70 report can provide useful insights but not necessarily the ones that are generally touted.  
 
Posted @ Friday, April 15, 2011 1:28 PM by Teresa Bockwoldt
A right to audit could be implemented in your contract with the vendor. This way you can decide what controls you need them to have for your control environment to be adequate and test them. 
 
There will in all likelihood be confidentiality issues, and it would probably be a good idea to engage external auditors or consultants in an agreed upon procedures engagement. 
 
This solves a couple of issues with the SAS70. You only get the controls you want and need tested (as opposed to a document so long that it wastes time dredging through to what you actually expect the vendor to have). It will in all likelihood be a lot cheaper than a SAS70 which will not be fully utilised anyway. 
 
I wouldn't necessarily say a vendor is bad and to be avoided simply due to them not wanting to provide you with a SAS70 they just have experiences in the past where the cost is not warranted. Additionally they may have had multiple requests for separate engagements post the SAS70 which made the experience significantly less useful for them, this can happen particularly where the vendor has "tweaked" their processes for specific customers and the SAS70 scope includes only the generic model offered by the vendor.
Posted @ Saturday, April 16, 2011 12:55 PM by Philip Kaiser
Comments have been closed for this article.