Tag: Vendor Management

In my last post I indicated that the AICPA would have additional guidance on this topic this fall.  It appears that we may now have to wait until early 2011.  According to this document from the AICPA,

“The existing (AICPA Audit) guide is being overhauled and rewritten to reflect the requirements and guidance in SSAE No. 16. The revised guide is expected to be available for sale in early 2011”.

This presents a dilemma for service institutions whose existing SAS 70 reports have expired, or are about to expire.  I will address this in greater detail in a future post.  But the much bigger issue is for financial institutions who rely on the SAS 70 reports to validate the adequacy and effectiveness of controls at their service provider.  As I made clear in my last post, the new SSAE 16 reporting standard is not designed to address controls over subject matter other than financial reporting.  According to a recent article:

In the past, many CPAs used SAS no. 70 to report on controls at a service organization that are unrelated to user entities’ internal control over financial reporting, for example, controls over the privacy of customers’ information. However, SAS no. 70 is not applicable to examinations of controls over subject matter other than financial reporting, and neither is SSAE no. 16.

For the vast majority of vendors that provide products and services to financial institutions, the the SSAE 16 is not appropriate unless the product or service provided directly impacts financial reporting.

If you are a financial institution with outsourced IT services, you should be far more interested in the privacy, security, confidentiality, integrity and availability of your (and your customers’) data at the service provider.  The report you want is called a Service Organization Control (SOC) Report. There are 3 different reports:

• SOC 1 – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
• SOC 2 – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy
• SOC 3 – Trust Services Report

Your service provider may present you with any one of these (or the SSAE 16), and with either a Type I or Type II.  I believe that the SOC 2, Type II will be adopted as the de-facto standard for organizations that provide IT related services to financial institutions (including managed services like cloud computing).

The guidance we are waiting on from the AICPA is a report called “Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy”.  Again, it’s not expected until early next year, but financial institutions should start planning now.  Ask your service provider to tell you what report they plan to provide to you, and then determine whether or not the report provided sufficiently addresses your concerns.

Bottom line…this is no longer simply a “check-list” item in your vendor management program!

To be continued…

Starting next year (or this year for Type II engagements that extend beyond 6/11), the traditional SAS 70 is being phased out in favor of the SSAE 16. The biggest difference is that the “A” no longer stand for “Audit”, but “Attestation”:  Management of the service provider asserts that controls relative to security, availability, integrity, confidentiality and privacy are both adequate and effective, and the auditor attests to the assertion.

The other difference is that the SSAE 16 is actually a series of reports.  Financial institutions should become familiar with the format of the new reports, and be prepared when your service providers present you with the new document. You may also want to check whether your current contract with your critical service providers require that a SAS 70 report be provided at least annually. If so, make sure that one of the other service auditor reports (SOC 1, SOC 2 or SOC3) are referenced.  The FFIEC will likely still consider these new reports as the best assurance that your service provider is adhering to your security standards.  According to the AICPA web site:

Q. – May SSAE 16 be used for reporting on controls over subject matter other than financial reporting?

A. — No. SSAE 16 (as well as SAS 70) does not apply to examinations of controls over subject matter other than financial reporting.

Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70 for all financial institution vendors.  Stay tuned, we are expecting additional guidance from the AICPA later this fall.