SSAE 16 replaces SAS 70 – UPDATE


SSAE 16 replaces SAS 70 – UPDATE

Starting next year (or this year for Type II engagements that extend beyond 6/11), the traditional SAS 70 is being phased out in favor of the SSAE 16. The biggest difference is that the “A” no longer stand for “Audit”, but “Attestation”:  Management of the service provider asserts that controls relative to security, availability, integrity, confidentiality and privacy are both adequate and effective, and the auditor attests to the assertion.

The other difference is that the SSAE 16 is actually a series of reports.  Financial institutions should become familiar with the format of the new reports, and be prepared when your service providers present you with the new document. You may also want to check whether your current contract with your critical service providers require that a SAS 70 report be provided at least annually. If so, make sure that one of the other service auditor reports (SOC 1, SOC 2 or SOC3) are referenced.  The FFIEC will likely still consider these new reports as the best assurance that your service provider is adhering to your security standards.  According to the AICPA web site:

Q. – May SSAE 16 be used for reporting on controls over subject matter other than financial reporting?

A. — No. SSAE 16 (as well as SAS 70) does not apply to examinations of controls over subject matter other than financial reporting.

Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70 for all financial institution vendors.  Stay tuned, we are expecting additional guidance from the AICPA later this fall.

Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

7 comments

  1. Thanks for the interest! There will be mutiple posts on this topic as we go forward and AICPA guidance becomes more prescriptive…as I said, stay tuned!

  2. Yet another thing for us to keep up with. Thanks for keeping on top of it, Tom! If it weren’t for you, we would be hopelessly lost in all of the changes!

  3. “Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70. Stay tuned, we are expecting additional guidance from the AICPA later this fall.”

    SSAE 16 is THE replacement for SAS 70. The standards are virtually the same as SAS 70 was the basis for the ISAE standard which served as the basis for SSAE 16.

    1. True, the SSAE 16 is the functional replacement for the SAS 70 for ICFR. My (admittedly misleading) point is that since the SAS 70 had morphed into an all-purpose IT controls assessment, the IACPA was careful to position the SSAE 16 as an ICFR attestation ONLY.

      Good point, and thanks for the comment!

Write a Comment