I’ve written about this here, here and here, and we are still waiting on additional guidance from the AICPA, now expected March/April 2011. But of greater interest to financial institutions is the opinion of the FFIEC, which refers to the SAS 70 in the IT Examination Handbooks 30 times, and has yet to officially endorse a replacement.
Although the SSAE 16 is designated as the replacement report by the AICPA, you’ll need to become familiar with a couple of terms before determining if it will be suitable in your circumstances; ICFR and non-ICFR. ICFR stands for Internal Controls over Financial Reporting, and non-ICFR (logically) stands for controls other than those used for financial reporting.
Why is it important to understand this? Because the SSAE 16 standard specifically states that it be used only for ICFR, NOT non-ICFR. That means for the vast majority of financial institution’s vendor relationships such as core vendors and IT vendors, the SSAE 16 may not be the most relevant report to request or to receive.
You’ll also need to understand SOC reports. SOC stands for Service Organization Controls, and there are 3 options; SOC 1, SOC 2 and SOC 3 (and a Type I and Type II for the first 2). Here is the best way to understand them:
- SOC 1 – equivalent to the current SAS 70 for ICFR engagements
- SOC 2 – attests to controls relevant to data privacy, security, confidentiality, integrity and availability
- SOC 3 – equivalent to the current SysTrust and WebTrust reporting standards
Again, the SOC 1 and SOC 2 reports can be prepared as either a Type I (a point in time) or Type II (a period of time, typically 6 months).
Will the SOC 1 or the SOC 2 become the de-facto replacement for the SAS 70? In my opinion, the SOC 2 directly addresses all the concerns a financial institution would have regarding their (and their customers’) information. But will the SOC 1 morph into something its’ not supposed to be, as the SAS 70 did? Only time will tell, so stay tuned…
