I’ve written about the 6/15/2011 phase-out of the SAS 70 report in favor of the SSAE 16 series (SOC 1, SOC 2, SOC3) here and here. The AICPA isn’t expected to update their audit guide until sometime early next year, but financial institutions are anxious to get the FFIEC to comment, as the SAS 70 is mentioned no fewer than 31 times, and in a total of 8 of the 12 IT Examination Handbooks. It’s mentioned 10 times in the Information Security Handbook alone!
I predict that the FFIEC will remove all references to the SAS 70, or to any specific report for that matter, and replace them with generic references to “audit reviews” or “audit reports”. It will then fall to the financial institution to determine the most appropriate report for each service provider, based on their risk assessment. However, the service provider will deliver whatever report they decided to prepare, which may or may not match the report requested.