SAS 70 replacement: SSAE 16

The often-misused SAS 70 auditing standard is set to be replaced next year by SSAE 16

. What's this?

By , Senior Editor

October 06, 2010CSO

The SAS 70 auditing standard has been a must for service providers to test internal security controls. But it hasn't been without critics, and SAS 70's replacement is at hand.

In June 2011, it will be replaced by Standards for Attestation Engagements (SSAE) No. 16. The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) finalized SSAE 16 in April with an effective start date of June 15, 2011. Its purpose is to update the U.S. service organization reporting standard so it mirrors and complies with the new international service organization reporting standard known as ISAE 3402.

Holly Russo, senior manager for accounting firm Schneider Downs & Co. summed up what's different in SSAE 16 in a website note to clients. Key differences are:

  • The requirement of a "management assertion" section within the report - Under SSAE 16, management of service organizations are required to provide a written assertion in the body of the report about the fair presentation of the description of the service organization's system, the suitability of the design of the controls and, for Type 2 reports, the operating effectiveness of the controls. If a service organization uses subservice organization(s) and elects to use the inclusive method, the subservice organization(s) assertion must also accompany the auditors' report. Management's assertion must also specify the criteria used for its assessment. These assertions are similar in nature to SAS 70 audit management representation letters. A separate management representation letter is also still required.
  • For Type II reports, the service auditors' opinion on fair presentation of the system and suitability of design will be for the period covered by the report. Under SAS 70, this is currently as of a point in time.

    • With the clock ticking, CSO decided to take the temperature of those who have experienced and/or conducted SAS 70 audits. The goal is to see how well it has prepared companies for the broader auditing gauntlet to come. The four perspectives that follow are in response to our inquiries in various LinkedIn forums.

    Scott Crawford, research director at Enterprise Management Associates (EMA) and former information security officer for the International Data Centre of the Comprehensive Nuclear-Test-Ban Treaty Organization in Vienna, Austria.
    A SAS 70 audit is conducted according to objectives defined by the service organization for itself. In other words, SAS 70 is not itself a framework of objectives, but rather allows the organization to choose its objectives -- which begs the question of "audited to what?"

    What is Tech Briefcase?
    TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
    Bookmark content
    Speed up your research efforts with content across the web.
    Search and Store
    Find the white papers you need. Create folders for any topic.
    View Anywhere
    Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
    Don't have an account yet?
    RESOURCE CENTER