The FFIEC has just updated their online IT Examination InfoBase to address the AICPA phase-out of the SAS 70 reporting format. All references to “SAS 70” have now been replaced, and the SAS 70 sections of the Audit and Information Security Handbooks have been completely removed. Previously there were a total of 31 references to “SAS 70” in 8 different Handbooks.
I wrote about this a number of times, and speculated about when the FFIEC would update their Handbooks, and what would replace the term. For the most part “SAS 70” has been replaced with “SSAE 16”, but there are also references to the SOC 2 and SOC 3 reports, as well as a more generic “other third-party review processes”. I’m happy to see the FFIEC is allowing for more flexibility in the choice of vendor control reports they consider acceptable. I’ve also made the case that although this does make the vendor management process a bit more challenging, institutions should welcome the transition.
