Sarbanes-Oxley Compliance: When to ask for a SAS 70 / SSAE 16

Posted by Teresa Bockwoldt on May 12, 2010

SAS 70 Review InstructionsNOTE: This blog, originally published in May, 2010, was updated on August 29, 2011, to reflect the replacement of SAS 70 reports with Service Organization Reports (SOCs) prepared under SSAE no. 16 and AT 101.

Internal Control Tip: When to ask for a SAS 70 / SSAE 16

Background

Until June 15, 2011, SAS 70 reports were conducted to certify the internal controls in place at an outsourced service provider. Independent Accounting firms completed two types of SAS 70 reports.  A Type 1 report described the controls as of a particular date, but did not include testing of the effectiveness of the controls; a Type 2 report described the controls and tested of the effectiveness of the controls over a period of time.  

Effective June 15, 2011, the SAS 70 reports were replaced by Service Organization Reports (SOCs) 1, 2, and 3.

SOC 1 reports address internal controls over financial reporting at a service organization. They are conducted by an independent auditing firm under auditing standard SSAE no. 16. A Type 1 report describes the controls as of a particular date, but does not include testing of the effectiveness of the controls; a Type 2 report describes the controls and tests of the effectiveness of the controls over a period of time. 

SOC 2 reports address a service organization's internal controls related to security, availability, processing integrity, and privacy. They are conducted by an independent auditing firm under auditing standard AT 101. A Type 1 report describes the controls as of a particular date, but does not include testing of the effectiveness of the controls; a Type 2 report describes the controls and tests of the effectiveness of the controls over a period of time. 

A SOC 3 report is based on the SOC 2 reports. It is a certification that can be used for marketing purposes. 

When to ask for a SAS 70/SSAE 16 - SOC 1 Report

A general rule of thumb when it comes to requiring a SAS 70 (now known as a SSAE 16 - SOC 1 Report) from a vendor is if they are holding something of value in trust for your company, then you have the right to ask them for a SSAE 16 - SOC 1 report.  An example of holding something of value could be in the form of data (server farm), inventory (logistics center), cash (payroll service (ADP, etc)), stock (Equity Edge, etc.) and so on.  

What can I expect to learn from a SSAE - SOC 1 Report? 

A SSAE 16 - SOC 1 report will detail the controls over financial reporting available at your vendor's company and whether they have passed or failed testing.  It will also detail what controls your vendor expects you to have at your company to ensure they can live up to their end of the bargain, e.g., if you do not encrypt the data being sent to your payroll service provider, they cannot guarantee the safety of that highly confidential information. The information in the SSAE 16 - SOC 1 report will let you know if you should feel comfortable or nervous that they are protecting the assets you are trusting them with.  

What to do if your Vendor does not offer a SSAE 16 - SOC 1 report

There isn't a clear answer for this issue.  If a vendor is holding a material amount of assets for you and they do not offer a SSAE 16 - SOC 1 report, you will need to implement more internal controls at your company to ensure the vendor is not stealing from you.  This could equate to a lot of work and money.  I personally would not store highly confidential data or a material amount of cash or inventory with a company who wasn't willing to provide me with a clean Type 2 SSAE 16 - SOC 1 report.  There are plenty of vendors out there who are willing to earn your business by proving they are worth doing business with and a Type 2 SSAE 16 - SOC 1 report is a way to demonstrate that commitment to your assets safety. 

I received a SSAE 16 - SOC 1 report, now what? 

Once you receive a SSAE 16 - SOC 1 report, you must analyze it to determine if your vendor was given a clean report or not (only in a Type 2).  You must determine what controls your vendor requires of you (above) and whether or not you have them.  You should also review the controls testing to see what, if any deficiencies were found during testing.  When it comes to external audits and internal controls testing, your auditors will ALWAYS review your SSAE 16 - SOC 1 report.  When you receive one, just signing the top isn't proof that you have reviewed it.  

What is a Negative Assurance Memo

Better question, why does it have such a weird name??!  A Negative Assurance Memo or Gap Letter is a letter from your vendor that will tell you if any of their internal controls have failed testing between SSAE 16 - SOC 1 reports.  SSAE 16 - SOC 1 reports typically span nine-month periods.  Because of this, you will need to gain comfort from your vendor that for the last three months of YOUR fiscal year, (not theirs but yours - you need comfort that their controls were working for the entire 12 months of your fiscal year) their controls were working.  Because the SSAE 16 - SOC 1 reports typically come out at the same time each year, say March, for instance, then you will need a letter from your vendor stating that either nothing has changed from Jan - Mar or telling you that the sky is falling and it is just another issue you're going to have to deal with...but, at least you'll know!

Can a service provider be SSAE No 16 "Certified"?
In the past it was quite common for a service provider to claim "SAS 70" certification. The truth is, the AICPA, which governs accounting standards, has never implemented a program for certifying internal controls over financial reporting. So there was never a SAS 70 certification, and the AICPA has been quite clear that it will not issue a SSAE No. 16 certification. The only certification program it offers related to internal controls is the SOC 3 report, which is completed in conjunction with SOC 2 reports, and certifies internal controls over security, availability, processing integrity, confidentiality or privacy 

The transition from SAS70 to SOC 1 SSAE 16 reports has brought added complexity for companies using Service Providers. Vibato offers a SSAE 16 Review Checklist that will show you when to ask for a SSAE 16, what questions to ask, and how to review your vendors internal control report to ensure you understand what it means and so you can demonstrate your analysis to your stakeholders and external auditors.  

For additional information, follow these links to read our blog posts about:

 
Let's work! SAS 70 to SSAE 16 - A New Standard for Service Organizations
 Chalkboard  How to Properly Review a SAS 70
 SAS 70 Review  SAS 70 to SSAE 16: How to Review your Vendors Internal Control Report

Watch our videos:

 Monitor  Click here to watch a video on How to Deal with your SSAE 16

Download our tip sheets:

 Download Download our tip sheet - "4 Tips - What to Consider in the Transition to SSAE 16."
4 Tips - What to Consider in the Transition to SSAE 16

 

The SSAE 16 Review Checklist is available for purchase on our sister site, AccountingTemplates.com. Accountingtemplates.com contains nearly 1000 Internal Control Procedures™, like the SSAE 16 Review Checklist, that can help take the complexity out of your day-to-day accounting work and help you understand how to prepare your audit evidence documentation.

AccountingTemplates.com

Click Here to View the Checklist

Tags: Sarbanes-Oxley Articles & Information, Compliance tools, Controls Testing, Sarbanes-Oxley Training, compliance, Sarbanes-Oxley