Category: Hot Topics

20 Sep 2010
Hot Topics Tom Hinkel 3 Comments

SSAE 16 replaces SAS 70 (…sort of) – UPDATE 2

In my last post I indicated that the AICPA would have additional guidance on this topic this fall.  It appears that we may now have to wait until early 2011.  According to this document from the AICPA,

“The existing (AICPA Audit) guide is being overhauled and rewritten to reflect the requirements and guidance in SSAE No. 16. The revised guide is expected to be available for sale in early 2011”.

This presents a dilemma for service institutions whose existing SAS 70 reports have expired, or are about to expire.  I will address this in greater detail in a future post.  But the much bigger issue is for financial institutions who rely on the SAS 70 reports to validate the adequacy and effectiveness of controls at their service provider.  As I made clear in my last post, the new SSAE 16 reporting standard is not designed to address controls over subject matter other than financial reporting.  According to a recent article:

In the past, many CPAs used SAS no. 70 to report on controls at a service organization that are unrelated to user entities’ internal control over financial reporting, for example, controls over the privacy of customers’ information. However, SAS no. 70 is not applicable to examinations of controls over subject matter other than financial reporting, and neither is SSAE no. 16.

For the vast majority of vendors that provide products and services to financial institutions, the the SSAE 16 is not appropriate unless the product or service provided directly impacts financial reporting.

If you are a financial institution with outsourced IT services, you should be far more interested in the privacy, security, confidentiality, integrity and availability of your (and your customers’) data at the service provider.  The report you want is called a Service Organization Control (SOC) Report. There are 3 different reports:

  • SOC 1 – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
  • SOC 2 – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy
  • SOC 3 – Trust Services Report

Your service provider may present you with any one of these (or the SSAE 16), and with either a Type I or Type II.  I believe that the SOC 2, Type II will be adopted as the de-facto standard for organizations that provide IT related services to financial institutions (including managed services like cloud computing).

The guidance we are waiting on from the AICPA is a report called “Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy”.  Again, it’s not expected until early next year, but financial institutions should start planning now.  Ask your service provider to tell you what report they plan to provide to you, and then determine whether or not the report provided sufficiently addresses your concerns.

Bottom line…this is no longer simply a “check-list” item in your vendor management program!

To be continued…

15 Sep 2010
Hot Topics Tom Hinkel 0 comment

FDIC issues guidance on copy machine hard drives

The FDIC issued FIL-56-2010 today, addressing risk posed by sensitive information stored on certain electronic devices (copy machines, fax machines and printers) that utilize internal storage, and how institutions should mitigate that risk.

This guidance only covers those devices that have internal storage, such as a hard drive or flash memory, but according to some reports, every copy machine manufactured since 2002 contains a digital hard drive.

In short, the FIL references GLBA, and states that:

“Financial institutions should implement written policies and procedures to identify devices that store digital images of business documents and ensure their hard drive or flash memory is erased, encrypted or destroyed prior to being returned to the leasing company, sold to a third party or otherwise disposed of.”

Because the FIL refers to existing guidance regarding the proper disposal of customer information, no new policies should be required.  However you should update your existing policies to make sure these new devices are identified and included.  It might also be a good time to re-evaluate your disposal method to make sure it is “sufficiently robust to render the information on the disk unrecoverable”.

(NOTE:  HP addresses the issue for their devices here.)

07 Sep 2010
Hot Topics Tom Hinkel 0 comment

CUNA adds examiner feedback section to member website

The Credit Union National Association (CUNA) is soliciting comments from it’s members regarding their recent NCUA examination experiences.

“We have heard from credit unions a lot over the last few months that many are finding their examiners and exams to have been a lot more difficult than they were previously,” said Mary Dunn, senior vice president for CUNA.

There is no doubt that the NCUA has been scrutinizing credit unions more closely lately, the question is whether NCUA examiners are being perceived as  more difficult because they are holding institutions to a higher standard, or are they just being more difficult.  Hopefully this will become clearer as more members weigh in, but I wrote about this here and here, speculating that since the FDIC now has the ability to supersede the primary federal regulator (PFR), the non-FDIC PFR’s may raise their standards to match the traditionally tougher FDIC standards.

I’ll repeat my advice…the best course of action is to adopt the FDIC interpretation of FFIEC regulations, regardless of your PFR. The worst you’ll do is overshoot the mark.

(…and as I posted here, at least one state regulator has already adopted the FDIC pre-examination questionnaire.)

16 Aug 2010
Hot Topics Tom Hinkel 7 Comments

SSAE 16 replaces SAS 70 – UPDATE

Starting next year (or this year for Type II engagements that extend beyond 6/11), the traditional SAS 70 is being phased out in favor of the SSAE 16. The biggest difference is that the “A” no longer stand for “Audit”, but “Attestation”:  Management of the service provider asserts that controls relative to security, availability, integrity, confidentiality and privacy are both adequate and effective, and the auditor attests to the assertion.

The other difference is that the SSAE 16 is actually a series of reports.  Financial institutions should become familiar with the format of the new reports, and be prepared when your service providers present you with the new document. You may also want to check whether your current contract with your critical service providers require that a SAS 70 report be provided at least annually. If so, make sure that one of the other service auditor reports (SOC 1, SOC 2 or SOC3) are referenced.  The FFIEC will likely still consider these new reports as the best assurance that your service provider is adhering to your security standards.  According to the AICPA web site:

Q. – May SSAE 16 be used for reporting on controls over subject matter other than financial reporting?

A. — No. SSAE 16 (as well as SAS 70) does not apply to examinations of controls over subject matter other than financial reporting.

Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70 for all financial institution vendors.  Stay tuned, we are expecting additional guidance from the AICPA later this fall.

11 Aug 2010
Hot Topics Tom Hinkel 0 comment

WHO declares H1N1 pandemic over

The head of the World Health Organization (WHO) today declared the H1N1 influenza pandemic over, saying worldwide flu activity has returned to typical seasonal patterns and many people have immunity to the virus.   WHO Director-General Margaret Chan said “The H1N1 virus has largely run its course.”

This likely means that you are unlikely to encounter any additional scrutiny in this area from your examiner, however the FFIEC still requires that all financial institutions have plans in place to detail how they will manage through a pandemic event.   This includes incorporating pandemic into all 4 phases of the planning process.  (See Appendix D of the Business Continuity Planning IT Examination Handbook for additional guidance.)

09 Aug 2010
Hot Topics Tom Hinkel 1 Comment

FDIC can now step in regardless of primary regulator (part 2)

Further to the previous post, the memorandum requires the FDIC opinion to prevail in the event that an institutions’ PFR (primary federal regulator) CAMELS rating differs from the FDIC:

If the FDIC’s CAMELS ratings for an institution differ from a PFR’s assigned ratings, the FDIC is required to provide the PFR with an explanation of the basis for the FDIC’s position. In the event of a disagreement, the matter must be referred to the FDIC Director of the Division of Supervision and Consumer Protection (Director), or other designee, and the appropriate supervision official of the PFR. Any decision by the FDIC to use an assigned rating different than the PFR’s rating must be made by the Director (or other designee), after consultation with the Chairman of the FDIC.

Again, best advice is to adopt the FDIC interpretation of FFIEC regulations, regardless of your PFR.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy