Starting next year (or this year for Type II engagements that extend beyond 6/11), the traditional SAS 70 is being phased out in favor of the SSAE 16. The biggest difference is that the “A” no longer stand for “Audit”, but “Attestation”: Management of the service provider asserts that controls relative to security, availability, integrity, confidentiality and privacy are both adequate and effective, and the auditor attests to the assertion.
The other difference is that the SSAE 16 is actually a series of reports. Financial institutions should become familiar with the format of the new reports, and be prepared when your service providers present you with the new document. You may also want to check whether your current contract with your critical service providers require that a SAS 70 report be provided at least annually. If so, make sure that one of the other service auditor reports (SOC 1, SOC 2 or SOC3) are referenced. The FFIEC will likely still consider these new reports as the best assurance that your service provider is adhering to your security standards. According to the AICPA web site:
Q. – May SSAE 16 be used for reporting on controls over subject matter other than financial reporting?
A. — No. SSAE 16 (as well as SAS 70) does not apply to examinations of controls over subject matter other than financial reporting.
Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70 for all financial institution vendors. Stay tuned, we are expecting additional guidance from the AICPA later this fall.
Thanks for the interest! There will be mutiple posts on this topic as we go forward and AICPA guidance becomes more prescriptive...as I said, stay tuned!
Yet another thing for us to keep up with. Thanks for keeping on top of it, Tom! If it weren't for you, we would be hopelessly lost in all of the changes!
Pingback: SSAE 16 replaces SAS 70 – UPDATE 2 : FFIEC Guru
[…] my last post I indicated that the AICPA would have additional guidance on this topic this fall. It appears […]
Pingback: The FFIEC Handbooks and the SAS 70 : FFIEC Guru
[…] the 6/15/2011 phase-out of the SAS 70 report in favor of the SSAE 16 series (SOC 1, SOC 2, SOC3) here and here. Financial institutions are anxious to get the FFIEC to comment, as the SAS 70 is […]
Pingback: SAS 70 alternatives : FFIEC Guru
[…] written about this here, here and here, and we are still waiting on additional guidance from the AICPA, now expected […]
"Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70. Stay tuned, we are expecting additional guidance from the AICPA later this fall." SSAE 16 is THE replacement for SAS 70. The standards are virtually the same as SAS 70 was the basis for the ISAE standard which served as the basis for SSAE 16.
True, the SSAE 16 is the functional replacement for the SAS 70 for ICFR. My (admittedly misleading) point is that since the SAS 70 had morphed into an all-purpose IT controls assessment, the IACPA was careful to position the SSAE 16 as an ICFR attestation ONLY. Good point, and thanks for the comment!