Tag: AICPA

29 Apr 2011
Hot Topics Tom Hinkel 0 comment

Vendor Management and the SAS 70 Replacement

I’ve written about the replacement for the SAS 70, which officially phases out on June 15th, previously.  But because this one report is being replaced with 3 new reports, financial institutions have an additional challenge that they didn’t have before.  Your vendor management program must now determine the most appropriate report to request based on your specific concerns regarding the vendor. Of course, once the correct report is identified, you must then acquire and review it…this step doesn’t change from the old SAS 70 world.

In the past, determining the correct report wasn’t really necessary, as the SAS 70 was the only reporting tool available if you needed to validate the security controls in place at a service provider.  With the SAS 70 being replaced with the SOC 1, SOC 2, and SOC 3, you have 3 options to choose from (and with Type I and Type II versions for the SOC 1 and SOC 2, you really have 5 options!).   So how do you choose?  It might make sense at this point to back up and take a look at the overall vendor management process.

The FFIEC considers risk management of outsourced services to consist of the following components:

  1. Risk Assessment (assessing the risk of outsourcing)
  2. Service Provider Selection (the due diligence process)
  3. Contract Issues (prior to signing the contract)
  4. Ongoing Monitoring (post contract)

Most institutions believe that their vendor management program begins once the contract is signed, i.e. once the vendor become a vendor.  But it’s clear that the vendor management process must begin well before that, and in fact third-party reviews like the old SAS 70, and the new SOC reports, should be obtained during the due diligence phase.  This is the proposal phase (step 2 above), well before the decision to engage the vendor.

According to the FFIEC, the due diligence process should determine the following about the vendor:

  • Existence and corporate history;
  • Qualifications, backgrounds, and reputations of company principals, including criminal background checks where appropriate;
  • Other companies using similar services from the provider that may be contacted for reference;
  • Financial status, including reviews of audited financial statements;
  • Strategy and reputation;
  • Service delivery capability, status, and effectiveness;
  • Technology and systems architecture;
  • Internal controls environment, security history, and audit coverage;
  • Legal and regulatory compliance including any complaints, litigation, or regulatory actions;
  • Reliance on and success in dealing with third party service providers;
  • Insurance coverage; and
  • Ability to meet disaster recovery and business continuity requirements.

That is a lot of information to obtain from a non-vendor, but the new SOC reports, and the SOC 2 report in particular, will go a long way towards addressing many of the above concerns.  Specifically; systems architecture, internal controls, any third-party providers, insurance coverage, and business continuity would all be addressed in a SOC 2 Type II* report.

I’ve developed this flowchart to assist you with the correct SOC report selection process, and I encourage you to discuss it with your auditor.  Of course once the correct report for that vendor has been determined, you must then obtain and evaluate it…that is a topic for a future post.

*Note:  We are still waiting for the AICPA to finalize the work program for the SOC 2 and SOC 3 reporting format.  Check with your auditor for additional guidance.

 

22 Feb 2011
Hot Topics Tom Hinkel 1 Comment

AICPA finalizes SAS 70 replacement

I wrote about this here as well, but it’s now official:  The AICPA has clarified the SAS 70 replacement reports.  They are actually officially being referred to as “Service Organization Control Reports (formerly SAS 70 reports)”.

The new SOC reports provide a framework for auditors to examine controls and to help senior management understand the related risks of outsourcing to a service provider.

According to the AICPA:

“Companies had misused SAS 70 to issue reports on controls related to outsourced non-financial data rather than the correct attest standard which was in place. The SOC reports clarify which standard needs to be used and how it should be implemented to meet specific user needs.

  • SOC 1 reports are primarily an auditor-to-auditor communication which addresses the controls at a service organization relevant to financial reporting. These reports are restricted use reports and therefore are not designed for promotional purposes. – (This is the functional replacement for the SAS 70 only where financial controls are concerned.)
  • SOC 2 reports are in response to the rapid growth in cloud computing  and data outsourcing, as well as the marketplace need for clarification on how reports on  non-financial controls regarding information, such as data security, confidentiality and privacy should be structured. – (This will likely be the SAS 70 replacement for the vast majority of service organizations)
  • SOC 3 reports cover the same subject matter as SOC 2, but in a general use, short form format which may be freely distributed.”

Get used to seeing this logo instead of the myriad of SAS 70 logos:

SOC Reports

 

Most importantly, know what it is…and what it isn’t.  Understand why your vendor chose one report over another, and determine if the report is relevant to you, and adequately addresses your concerns.  The term “SAS 70” is mentioned 31 times in 8 of the 12 IT Examination Handbooks, so it is a critical element in how the FFIEC expects you to manage your vendor relationships.  No word yet on how the FFIEC will address this going forward…

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy