Starting next year (or this year for Type II engagements that extend beyond 6/11), the traditional SAS 70 is being phased out in favor of the SSAE 16. The biggest difference is that the “A” no longer stand for “Audit”, but “Attestation”: Management of the service provider asserts that controls relative to security, availability, integrity, confidentiality and privacy are both adequate and effective, and the auditor attests to the assertion.
The other difference is that the SSAE 16 is actually a series of reports. Financial institutions should become familiar with the format of the new reports, and be prepared when your service providers present you with the new document. You may also want to check whether your current contract with your critical service providers require that a SAS 70 report be provided at least annually. If so, make sure that one of the other service auditor reports (SOC 1, SOC 2 or SOC3) are referenced. The FFIEC will likely still consider these new reports as the best assurance that your service provider is adhering to your security standards. According to the AICPA web site:
Q. – May SSAE 16 be used for reporting on controls over subject matter other than financial reporting?
A. — No. SSAE 16 (as well as SAS 70) does not apply to examinations of controls over subject matter other than financial reporting.
Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70 for all financial institution vendors. Stay tuned, we are expecting additional guidance from the AICPA later this fall.
