SAS 70 replacement: SSAE 16

The SAS 70 auditing standard has been a must for service providers to test internal security controls. But it hasn’t been without critics, and SAS 70’s replacement is at hand.

In June 2011, it will be replaced by Standards for Attestation Engagements (SSAE) No. 16. The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) finalized SSAE 16 in April with an effective start date of June 15, 2011. Its purpose is to update the U.S. service organization reporting standard so it mirrors and complies with the new international service organization reporting standard known as ISAE 3402.

Holly Russo, senior manager for accounting firm Schneider Downs & Co. summed up what’s different in SSAE 16 in a website note to clients. Key differences are:

With the clock ticking, CSO decided to take the temperature of those who have experienced and/or conducted SAS 70 audits. The goal is to see how well it has prepared companies for the broader auditing gauntlet to come. The four perspectives that follow are in response to our inquiries in various LinkedIn forums.

Scott Crawford, research director at Enterprise Management Associates (EMA) and former information security officer for the International Data Centre of the Comprehensive Nuclear-Test-Ban Treaty Organization in Vienna, Austria.

A SAS 70 audit is conducted according to objectives defined by the service organization for itself. In other words, SAS 70 is not itself a framework of objectives, but rather allows the organization to choose its objectives — which begs the question of “audited to what?”

Of course, most orgs will be motivated to audit to a recognized standard of some sort. In many cases, widely accepted guidance such as COBIT may be used as a framework, but COBIT can be very general, and may be geared more towards higher-level program management rather than specifics of implementation. But COBIT is just one of many such — and any framework can be tuned to the specific needs of an organization or an audit — so knowing the controls and control objectives of a specific audit is equally important. This means that a SAS 70 audit could be very thorough if the control objectives are highly granular — and uselessly general if too extreme at the other end of the spectrum.

Thus, there are in fact not only many alternatives to a SAS 70 audit, but many control objectives and/or frameworks that could be defined for any audit, including for any SAS 70 audit. This includes PCI DSS, ISO 27000-series, SysTrust, and so on. The BITS Shared Assessments initiative was intended to specifically enable primarily financial organizations to work together to standardize assessment in a number of areas, including security. However, there are advantages as well as deficiencies in each of these approaches as well, such as: how current the standard is with the current landscape of IT threats or the technology itself. Virtualization, for example, still has yet to be addressed as thoroughly as it should in some cases. Yet it is frequently a fundamental technology in cloud computing.

Chris Schellman, CPA, CISSP, CISA, CIA, president and shareholder, SAS 70 Solutions, Inc.

The SAS 70 audit standard works great for its intended purpose, and not so well otherwise. It never claimed to be the universal solution for all assessment needs, but there is absolutely no substitute for it in the areas of financial statement audit and SOX compliance. Criticism of the standard often demonstrates profound disregard for the standard’s intended purpose. It is fair to criticize the misapplication of the standard and misuse of SAS 70 audit reports, but that does not equate to a fault in the standard itself.

To say the SAS 70 standard is going away might not be the best angle. Yes, it is being superseded by SSAE 16, but SSAE 16 used the SAS 70 standard as its basis. So did the international standard, ISAE 3402, which the assurance bodies of other countries are busily adopting entirely or are aligning their SSAE 16 equivalent standards to match. We may actually be entering a boom period for “SAS 70 v2.0” (in the form of SSAE 16 and ISAE 3402). Most differences between SAS 70 and the new standards will be almost indistinguishable to the average layperson.

Don Fergus, chief security officer for Intekras Inc.

In our IT Risk reviews, we utilize ISO 27001/27002 to review the adequacy of security measures in place. By definition, SAS 70 reviews include procedures to obtain reasonable assurance about whether control descriptions (as described by management) present the aspects of a service organization’s controls that may be relevant to an audit of financial statements, and further that the controls included in the description were suitably designed to achieve the control objectives specified in the description. This means that in a SAS 70 Type II review a service organization describes its control mechanisms and then one tests to verify that the control exists. So, if there’s a lousy control in place, the reviewer attests to its existence rather than recommend its improvement.

Unlike SAS 70, the ISO standard has over 150 predefined controls. During our ISO-based reviews, we determine whether a specific control applies (through a Statement of Applicability), how an organization meets the control objective, and we collect evidence that they have met the control. Rather than rely on management to describe controls (and then merely attest to their existence), we prefer ISO-based reviews, because it provides a comprehensive set of security-related topics and an objective means of measuring risk.

Shrinath, senior information security auditor at SunGardvery good compensating controls for it. For us, it has helped to tighten the process lapses and increase the operating effectiveness of the controls.

My organization has undergone SAS 70 audits for the last 3 years. For the first year it was definitely challenging to know all about it and its testing procedures. It is definitely one of the most stringent audits because of the number of evidence samples picked up for testing and any failure in a single one of them can result in control failure unless you have