The FFIEC Handbooks and the SAS 70

October 8, 2010 Tom Hinkel Hot Topics 1 Comment  Like

The FFIEC Handbooks and the SAS 70

I’ve written about the 6/15/2011 phase-out of the SAS 70 report in favor of the SSAE 16 series (SOC 1, SOC 2, SOC3) here and here.  The AICPA isn’t expected to update their audit guide until sometime early next year, but financial institutions are anxious to get the FFIEC to comment, as the SAS 70 is mentioned no fewer than 31 times, and in a total of 8 of the 12 IT Examination Handbooks.  It’s mentioned 10 times in the Information Security Handbook alone!

I predict that the FFIEC will remove all references to the SAS 70, or to any specific report for that matter, and replace them with generic references to “audit reviews” or “audit reports”.  It will then fall to the financial institution to determine the most appropriate report for each service provider, based on their risk assessment.  However, the service provider will deliver whatever report they decided to prepare, which may or may not match the report requested.

Print Friendly, PDF & Email
Tags
Tom Hinkel
Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
tom.hinkel@safesystems.com

Write a Comment

© 2024 Safe Systems, Inc. All rights reserved. Compliance Guru is a registered trademark of Safe Systems. Privacy Policy