Compliance Guru • FFIEC Guidance
  • Ask the Guru
  • The Guru Speaks
  • About
  • Ask the Guru
  • The Guru Speaks
  • About
By Tom Hinkel In Hot Topics

SSAE 16 replaces SAS 70 – UPDATE

Starting next year (or this year for Type II engagements that extend beyond 6/11), the traditional SAS 70 is being phased out in favor of the SSAE 16. The biggest difference is that the “A” no longer stand for “Audit”, but “Attestation”:  Management of the service provider asserts that controls relative to security, availability, integrity, confidentiality and privacy are both adequate and effective, and the auditor attests to the assertion.

The other difference is that the SSAE 16 is actually a series of reports.  Financial institutions should become familiar with the format of the new reports, and be prepared when your service providers present you with the new document. You may also want to check whether your current contract with your critical service providers require that a SAS 70 report be provided at least annually. If so, make sure that one of the other service auditor reports (SOC 1, SOC 2 or SOC3) are referenced.  The FFIEC will likely still consider these new reports as the best assurance that your service provider is adhering to your security standards.  According to the AICPA web site:

Q. – May SSAE 16 be used for reporting on controls over subject matter other than financial reporting?

A. — No. SSAE 16 (as well as SAS 70) does not apply to examinations of controls over subject matter other than financial reporting.

Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70 for all financial institution vendors.  Stay tuned, we are expecting additional guidance from the AICPA later this fall.

Print Friendly, PDF & Email

Share this:

  • Facebook
  • LinkedIn
  • Twitter
  • Print
Audit FFIEC SAS 70 Vendor Management

Article by Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Related Articles

  • Reading Between the Lines
    Reading Between the Lines: The Interagency Examiner Guidance for Assessing Safety and Soundness During COVID-19
  • Going beyond the FFIEC Cybersecurity Assessment Tool (CAT)
    Cybersecurity – Beyond the Assessment

7 replies added

  1. Tom August 25, 2010 Log in to Reply

    Thanks for the interest! There will be mutiple posts on this topic as we go forward and AICPA guidance becomes more prescriptive…as I said, stay tuned!

  2. ITBanker August 27, 2010 Log in to Reply

    Yet another thing for us to keep up with. Thanks for keeping on top of it, Tom! If it weren’t for you, we would be hopelessly lost in all of the changes!

  3. HedgeHogCPA September 1, 2011 Log in to Reply

    “Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70. Stay tuned, we are expecting additional guidance from the AICPA later this fall.”

    SSAE 16 is THE replacement for SAS 70. The standards are virtually the same as SAS 70 was the basis for the ISAE standard which served as the basis for SSAE 16.

    • Tom September 2, 2011 Log in to Reply

      True, the SSAE 16 is the functional replacement for the SAS 70 for ICFR. My (admittedly misleading) point is that since the SAS 70 had morphed into an all-purpose IT controls assessment, the IACPA was careful to position the SSAE 16 as an ICFR attestation ONLY.

      Good point, and thanks for the comment!

Leave your comment Cancel Reply

You must be logged in to post a comment.

Join Our Community

Browse Posts

  • Ask the Guru
  • Ask the ISO
  • From the Field
  • Hot Topics
  • Reading Between the Lines
  • Resources

Copyright ©2021 Compliance Guru®.
All Rights Reserved.

Powered by Safe Systems. Privacy Policy

Stay up to date with these pandemic resources for community banking.See COVID-19 Resources
+