“A SAS 70 should not be a replacement for good old-fashioned due diligence,” says Joel Lanz, a CPA who provides technology-risk-management, IT-auditing, and data-security services to banks, and co-chairs the AICPA’s Top Technology Initiatives task force. “A CFO should know that, but a lot of companies, especially smaller ones, don’t do proper due diligence on vendors. They take the easy way out.”
Proper due diligence, Lanz adds, goes beyond the assessment of financial controls that is the province of SAS 70. The report may tangentially address system security and processing integrity, depending on the nature of the services and how the systems affect customers’ financial statements. But, if done correctly, it does not cover controls that keep sensitive company information confidential or customer data private. Despite what vendors may say or imply, Lanz says, “privacy controls are not covered by SAS 70 audits.”
Controls over aspects of data security, processing integrity, privacy, confidentiality, and system availability that do not affect the accuracy of service users’ financial statements are more properly tested with an attestation called Trust Services. Relatively few U.S. service providers have embraced that option since it became available in 2003, says the AICPA’s Landes. But the AICPA is hoping that some changes slated to take effect next year (see “SOC It to Me” at the end of this article) will clear up some of the confusion over an auditing practice that is becoming ever more important.
David McCann is senior editor for technology at CFO.
SOC It to Me
Will new multitiered guidance restrain SAS 70 marketing hype?
Forget about marketing overreach: service providers soon will have to stop talking about SAS 70 altogether. That’s because it is set to be replaced next June with Statement on Standards for Attestation Engagements No. 16.
SSAE 16 will differ in some respects from SAS 70, but it will have the same narrow focus on controls over systems and processes that influence the accuracy of journal entries for service firms’ customers.
The change is driven primarily by the ongoing effort to converge U.S. and international accounting and auditing standards, but the American Institute of Certified Public Accountants also frames it as part of a rebranding effort that it hopes will help clear up confusion over the scope of such reports.
The AICPA’s Auditing Standards Board is creating a new umbrella, called Service Organization Controls, that defines three options for auditor reports on the controls of service providers:
Under SOC 1, which is synonymous with SSAE 16 (and is, in fact, available now), a service organization provides a very detailed description of its financial-related controls, to which the auditor will attest. Like SAS 70, SOC 1 is a restricted-use report, to be shared only with service providers’ customers and their auditors.
SOC 2, a new option still being formalized, will be a similarly detailed examination of a service firm’s controls over security, privacy, confidentiality, availability, and processing integrity. The auditor will have discretion about whether to restrict the report’s use, based on whether it is deemed relevant to the general public as opposed to just the service firm’s existing customers.
SOC 3 represents a rebranding of the little-used Trust Services attestation, and will address the same five nonfinancial domains as SOC 2. But it is not based on detailed management assertions. Rather, the auditor opines on whether the service firm satisfies a set of more-general criteria for its control environment. It will continue to offer the option of a SysTrust seal, which is very much like a certification that can be used for marketing purposes, and the report itself can be made public.
“We think that once these additional alternatives are in place, it will help tremendously to clear up the marketplace,” says Chuck Landes, the AICPA’s vice president of professional standards and services.
But there will be nothing to stop vendors from making exaggerated marketing claims about their SOC 1 and SOC 2 reports, as they have for SAS 70. “The only way that situation will improve substantially is if businesspeople really understand what these new terms mean,” says auditor and SAS 70 expert Dan Schroeder. “That will take a strong brand-messaging effort. There’s a lot of work to do to turn things around.” — D.M.