So, back to SOC 3, which is an attempt by the AICPA to have service organizations that are involved in e-commerce, e-business, and other supporting I.T. activities utilize this (SOC 3) reporting platform (or quite possibly SOC 2, which I’ll speak about in another post) as evidence of an organization’s commitment to having in place a secure system, which would be validated against the main principles and criteria of SysTrust and WebTrust, which are that of Security, Availability, Processing Integrity, Confidentiality, and Privacy.
It will be interesting to see how the entire SOC framework plays out and what reporting options will be utilized. For simplicity, here is how the Service Organization Control (SOC) reporting framework is broken down:
SOC 1-Will use SSAE 16 as the professional Standard
SOC 2-Will use AT Section 101 as the professional Standard
SOC 3-Will rely on the SysTrust and WebTrust Principles and Criteria (Trust Services)
Here are some of the hot-button issues you should be vitally aware of:
1. SSAE 16 requires a Written Assertion by Management; an assertion whereby management of the service organization effectively asserts to a number of clauses.
2. SSAE 16 requires management of the service organization to provide a description of its “system”, which is different from SAS 70, which only called for a description of “controls”.
3. SSAE 16 also brings into play a number of different elements, such as “monitoring”, the “identification of risk” along with the notion of “suitable criteria”.
4. Also, SSAE 16 is now part of a much broader initiative by the American Institute of Certified Public Accountants (AICPA) known as Service Organization Control (SOC) reports, for which SSAE 16 falls under the SOC 1 framework.
In short, there’s much to learn about SSAE 16, and most service organizations would highly benefit from an SSAE 16 Readiness Assessment by a competent, well-qualified CPA firm. Additionally, add to the mix of the new SOC reporting framework, specifically that of SOC 2 and AT Section 101, and things can get quite complex indeed.]]>
In fact, literature released by the AICPA in 2010 regarding the new SSAE 16 standard clearly illustrates and gives examples of what is considered subject matter for a description of a service organization’s “system”.
Service organizations are going to have to re-visit their previous SAS 70 description of “controls” narrative, and possibly make significant changes to meet the true intent, rigor and spirit of the new SSAE 16 reporting requirements.
My advice? Work with your auditor for ensuring your description of the “system” meets the requirements set by SSAE 16.]]>
Management’s description of the service organization’s “system” fairly presents the service organization’s system that was designed and implemented at either a specific date (Type 1 report) or implemented throughout a specified time period (Type 2 report).
The control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives at either a specific date (16 Type 1 report) or designed throughout a specified time period (Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period.
The criteria used to effectively making these assertions (i.e., risk factors relating to controls and control objectives) and (for a SSAE 16 Type 2) that the controls were consistently applied.
To learn more about SSAE 16, visit the SSAE 16 Resource Guide.]]>
SAS 70, which has been with us since April of 1992, slowly grew into an internationally recognized auditing standard that was used by service auditors performing engagements on service organizations for purposes of reporting on controls placed in operation and (in the case of a SAS 70 Type II) their operating effectiveness.
What’s interesting to note about SSAE 16 and ISAE 3402 is that they both require a description of the service organization’s “system” along with a written assertion by management. SAS 70 required merely a description of “controls” and did not require a written assertion by management. These are two (2) fundamental components of SSAE 16 and ISAE 3402 that all service organizations should be aware of.
Some service organizations will find that substantial work will have to be undertaken for ensuring their prior SAS 70 description of “controls” meets the intent and rigor of the SSAE 16 and ISAE 3402 description of its “system”. Lastly it is important to note that SSAE 16 is now an “attest” standard, while ISAE 3402 is an “assurance” standard.]]>
Much like SAS 70 Readiness Assessments, an SSAE 16 Readiness Assessment should be looked upon as a useful and proactive step in meeting compliance. There are without question a number of items that an SSAE 16 Readiness Assessment can assist with, such as audit scope, how to prepare one’s description of its “system” along with preparing a written assertion by management.
Additionally, an SSAE 16 Readiness Assessment can help unearth what role, if any, the internal audit function would play in a SSAE 16 Type 1 or Type 2 engagement.
In short, they are important and should be considered a “must do” for any service organization seeking to comply the new standard. Hello SSAE 16 ( and ISAE 3402)….goodbye SAS 70.]]>
It is worth noting that two of the most important components of the new SSAE 16 standard in regards to service organization requirements are the following:
1. Management must provide a description of its “system”.
2. Management must provide a written assertion-simply known as the written assertion by management.
What’s interesting to note is that the SAS 70 auditing standard called for only a description of “controls”, and did not even require a written assertion by management. These two issues alone (along with others) will require service organizations to spend considerable time and effort in preparing for these reporting requirements for SSAE 16. Be ready, the migration from SAS 70 to SSAE 16 (and possibly ISAE 3402) is fast underway.]]>
What’s important to note about SSAE 16, other than the changes it represents from SAS 70, is its willingness (within the ASB of the AICPA) to adopt global standards for reporting on service organizations-a trend that is being played out in many other areas within the accounting industry.
It will be interesting to see how the landscape plays out for SSAE 16 and ISAE 3402 along with the continued reporting on controls at service organizations.]]>
There are also a number of other roles, responsibilities, and requirements which management must undertake, but what’s important to note at this point is why the new auditing standard came to be, effectively creating a need for the U.S. standard (SAS 70) to be replaced, which is being done with SSAE 16.
ISAE 3402 represents a migration towards global accounting principles and standards; one that creates transparency and much more clarity when reporting on controls at service organizations. SAS 70, the standard used globally by many practitioners, had been showing its limitations for a number of years, due in large part that it was a U.S. based standard and was not always meeting the ever-growing and complex reporting requirements for service organizations.
ISAE 3402 (and the U.S. Standard of SSAE 16) are soon on their way to becoming the “standard” for reporting on controls at service organizations. Early adoption of the two standards is permitted, but it seems likely most service organizations will wait until 2011. Be prepared and get the facts about the ISAE 3402 standard.]]>
In short, expect ISAE 3402 to bring about significant changes for reporting on service organizations-due in large part to the two (2) requirements put forth by the ISAE 3402 standard itself that differ from SAS 70.
Also, SAS 70 is effectively being replaced and superseded by Statement on Standards for Attestation Engagements No. 16 (SSAE 16), with it becoming effective for reporting periods ending on or after June 15, 2011.
SSAE 16 and ISAE 3402 are essentially similar standards, with some slight technical variations. They are the convergence of auditing standards that have resulted in a more unified and transparent framework for reporting on controls at service organizations.]]>