Presented by:
Michael Pinna – WeiserMazars LLP
and
Joel Lanz - Joel Lanz, CPA P.C.
June 28, 2011
The End of the SAS 70
 The Statement on Auditing Standard (SAS) No. 70 is
being replaced by the Statement on Standards for
Attestation Engagements (SSAE) No. 16.
 This new reporting standard became effective for
periods ending on or after June 15, 2011. It is in effect
NOW!
2
The End of the SAS 70
 One of the most immediate differences between the
SAS 70 and the SSAE 16 is that the new SSAE 16
reporting now falls under an attest standard and
not an auditing standard.
3
Why Was the SSAE 16 Introduced?
 New Technologies. Since the inception of the SAS 70
in the mid-1990’s, technologies have evolved at a
frantic pace. Some current technologies like the
Internet, mobile computing, wireless communications
and technology hosting were just in the beginning
phases when the original SAS 70 standard was
developed.
These technologies have moved
computing into the mainstream of life in the modern
world.
4
Why Was the SSAE 16 Introduced?
 Growth in Outsourcing.
With the growth in
technology, many firms have begun embracing
outsourcing as a method of providing for their
technology needs without necessarily developing or
“buying” the resources. This has lead to an increased
demand for firms to gain assurance that the controls
and processes employed by these outsourcing firms
are in place and operating effectively.
5
Why Was the SSAE 16 Introduced?
 Globalization.
The advances of technology and
communications have made the world smaller.
Electronic information can now be stored and
accessed from almost anywhere in the world.
6
Why Was the SSAE 16 Introduced?
 International Standards Convergence. The SSAE
16 standard incorporates the key elements that have
been introduced in other international standards such
as the International Standard on Attestation
Engagements (ISAE) 3402. While there are differences
between the SSAE 16 and the ISAE 3402, the new SSAE
16 moves the United States in line with the
international standards.
7
Why Was the SSAE 16 Introduced?
 Overuse of the SAS 70. SAS 70 reports were being
used in ways for which they were never intended
such as:
 Operation reports with little or no controls relevant to
financial reporting at the user organizations.
 SAS 70 as a de facto standard in “certifying” control
compliance (i.e., SAS 70 certified “branding” on many
web sites or press releases).
8
SAS 70 “Remnants” in the SSAE 16
 Service Organization Control (SOC 1) Reports in the
SSAE 16 standard will continue to addresses controls
over financial reporting as was performed in a SAS 70.
 More to come on reporting later in the session!
9
SAS 70 “Remnants” in the SSAE 16
 The use and preparation of Type I and Type II Reports.
 A Type I report will cover the design of controls
assertion and will still be “as of” a point in time.
 A Type II report will not only address the design of
controls assertion but also cover the test of operating
effectiveness assertion. This report will cover a period of
time of no less than 6 months (recommended).
10
SAS 70 “Remnants” in the SSAE 16
 The use of sub-service organizations by reporting
entities remains the same. Entities may still the use of
the carve-out or the inclusive methods of reporting on
the use of sub-service organizations.
11
SAS 70 “Remnants” in the SSAE 16
 The SSAE 16 report will continue to have a restricted
use in that the report should address controls over
financial reporting that relevant to the service
organization’s clients and the independent auditors of
their clients.
12
What has Changed with the SSAE 16?
 Management Assertion.
The SSAE 16 report will
include a written assertion by the management of the
service organization that:
 The description of the system(s) and processes in the
SSAE 16 report are fairly presented.
 Any changes to the system(s) and processes during the
period covered by the report have been disclosed (type II
reports).
 The controls related to the control objectives stated in
the description were suitably designed and/or operating
effectively.
13
What has Changed with the SSAE 16?
 Use of Suitable Criteria. The service auditor must
assess whether management has used suitable criteria
in:
 Preparing the description of the system(s) and processes
in the SSAE 16 report.
 Evaluating whether the controls were suitably designed
to achieve the control objectives in the description.
 Evaluating whether the controls operated effectively
throughout the specified period to achieve the control
objectives stated in the description (for a type II report
only).
14
What has Changed with the SSAE 16?
 Minimum criteria for evaluating suitability include:
 Fairness of presentation relative to the description of
the system



Presents how the system was designed and implemented
Includes relevant changes during the period
Does not omit or distort relevant information
 Suitability of the design of controls
 Management identified the risks that threaten the achievement
of the control objective
 Controls, if operating as described, provide reasonable assurance
that control objectives would be achieved
15
What has Changed with the SSAE 16?
 Minimum criteria for evaluating suitability include:
 Operating effectiveness
 Consistent application throughout the period
 Manual controls applied by individuals with appropriate
competence and authority
16
What has Changed with the SSAE 16?
 Design of Controls Assessment. The design of
controls assessment now covers that same period of
time as the operating effectiveness assessment in a
type II report. In a type II SAS 70 report, the design of
controls assessment was as of a specific date.
17
What has Changed with the SSAE 16?
 Use Internal Audit. The service auditor may use the work
of an internal audit department in performing the
fieldwork for a SSAE engagement. In order to use the work
of an internal audit department, the service auditor needs
to evaluate if the work performed by the internal audit
department is adequate for the service auditor’s purposes.
If the internal audit department work is used in performing
testing of controls for a type II report then the use of
internal audit and the service auditor’s procedures with
respect to that work should be disclosed in the section of
the report that details the nature and extent of testing
performed.
18
Reporting Under the SSAE 16
 The AICPA has outlined 3 types of Service Organization
Control (SOC) reports that can be produced as follows:
 SOC 1 Report— Report on Controls at a Service Organization
Relevant to User Entities’ Internal Control over Financial
Reporting . This is the old SAS 70 reporting.
 SOC 2 Report— Report on Controls at a Service Organization
Relevant to Security, Availability, Processing Integrity,
Confidentiality or Privacy.
 SOC
3 Report—
Organizations.
Trust
Services
19
Report
for
Service
Reporting Under the SSAE 16
SOC 1
SOC 2
SOC 3
Focus
Controls that are likely to
be relevant to a user
entity’s financial
reporting
Security, Availability,
Processing Integrity,
Confidentiality, and/or
Privacy
Security, Availability,
Processing Integrity,
Confidentiality, and/or
Privacy
Types of processes and
systems
Limited to processes and
systems that are relevant
to financial reporting
May be performed on any
process or system
May be performed on any
process or system
Criteria
Designed to address
needs of financial
statement audit
Designed to provide
assurance to customers,
business partners and
other interested parties
Designed to provide
assurance to customers,
business partners and
other interested parties
Intended Audience
User organization’s and
their auditors
Customers and business
partners
Customers, business
partners and other
interested parties
Use / distribution
Restricted
May be restricted
Generally unrestricted
20
Using the New SSAE 16 Reports
 There is new guidance that will be in place for the
users of the new SSAE 16 SOC reports.
 This guidance will be a new Statement on Auditing
Standard - Audit Considerations Relating to an
Entity Using a Service Organization.
 Effective date for the implementation of this SAS is
not until December 15, 2012.
21
Using the New SSAE 16 Reports
 The objectives of the user auditor as defined by the
new SAS, when the user entity uses the services of a
service organization, are to:
 Obtain an understanding of the nature and significance
of the services provided by the service organization and
their effect on the user entity’s internal control relevant
to the audit. This understanding should be sufficient to
identify and assess the risks of material misstatement.
 Design and perform audit procedures responsive to
those risks.
22
Why Did Clients Believe That SAS 70 Was
Their Savior?
A Sample of Actual Vendor Representations Regarding SAS 70
 ...it has successfully issued its SAS No. 70 Type 1 report…. The self-initiated audit
demonstrates...commitment to its customers as a reliable, transparent, secure
ASP that is focused upon minimizing risk, increasing value, maintaining service
availability, and preserving client privacy and data security.
 Protecting customer data is the cornerstone of...success. Our SAS No. 70 audit is
an important way to independently validate how well we manage...security.
 ...passing the SAS No. 70...Type I audit is a key requirement for companies who
wish to perform data-center and Web-hosting functions for financial...or other
security-sensitive or regulated organizations. Such institutions can’t use...firms
that haven’t passed the SAS No. 70 audit.
 Thus, many Clients believed that further oversight in these areas would
be a duplication of efforts – that the vendor had already independently
performed these assurance efforts!!!!
23
But The Real Challenge
Right to
Audit
Clause
 Too expensive to execute
– chargebacks and out of
pocket
 Difficult to include in
contracts given vendor
consolidation
 May “offend” the vendor
if executed
 What to do on a vendor
audit
The Client’s “Compliance” Dilemma and
Why It Needs SOC
Financial Reporting
Industry Regulations
 Accuracy
 Security
 Data Integrity
 Privacy
 Availability
COSO Internal Control – Integrated
Framework
26
From the AICPA’s PerspectiveWhat is the Client’s Role?
 Management of a User Entity is responsible for assessing and addressing the
risks faced by the User Entity.
 Although management of a User Entity can delegate tasks or functions to a
service organization, the responsibility for those tasks and the service
organization provides cannot be delegated.
 A User Entity who relies on a service organization that processes, maintains, or
stores information for the User Entity needs to understand and monitor the
systems being relied upon for such services in order to:
 assess stewardship or accountability
 assess the entity’s ability to comply with certain aspects of laws and
regulations
 assess the integrity of the information provided
 assess the activities of the entity
27
Sample Vendor Management Risks





Where’s the data?
Privacy protection programs
Enforcing SLAs and key contract terms
Implementing unique Client contract terms
Control over additional or special services
 e.g., unique Client add-on or upgrade





Accuracy of invoices
Vendor’s BCP test does not include Client unique issues
Third party reports – how much can we rely on them?
Inability to perform periodic due diligence
Ability to monitor vendor activities
28
AICPA’S User Methodology
(adapted from “Understanding How Users Would Make Use of a SOC 2 Report,”
AICPA Trust/Data Integrity Task Force)
 The User Entity should understand whether:
 the services relevant to the User Entity are included.
 there is a clear system description.
 the controls are relevant, with consideration of planned reliance on the
operational and compliance controls, and the relationship to
complementary User Entity activities.
 the report covers a period of time or a point in time and whether that time
period is relevant to the User Entity’s coverage needs.
 there is contiguous coverage between reports.
 there should also be consideration of the level of change and the cyclical
nature of processing within the system as well as historical information
about the system.
29
SOC 1 New User SAS
 The new clarified SAS for user auditors - Audit Considerations Relating to an
Entity Using a Service Organization - expands on how a user auditor audits the
financial statements of a user entity to enable user auditors to fulfill two
important requirements of the risk assessment standards:
 (1) to obtain an understanding of the entity, including its internal control
relevant to the audit, sufficient to identify and assess the risks of material
misstatement and
 (2) to design and perform further audit procedures responsive to those
risks.
 The effective date of the new SAS is for audits of financial statements for
periods ending on or after December 15, 2012. When the new SAS becomes
effective, it will replace the guidance for user auditors currently in AU 324
30
How To Incorporate SOC Reports into IT Vendor
Management Programs
 Managers and their auditors (both internal and external) should discuss the need to
actually review the report.
 At a minimum, the report could provide risk managers with a good source of
background information on the vendor.
 Review vendor management policy describing the need, if any, for various departments
to review the report.
 The report will clarify whether it is a Type I or Type II report.
 Type I – Identified Controls Not Tested
 Type II – Identified Controls Tested
 The report section entitled “The Service Organization’s Description of Controls”
enables the vendor to provide background information that it deems to be important to
readers. This section is generally not audited by the auditor and should be treated as
such.
 The next section, “Information Provided by the Service Auditor,” provides additional
details about the suitability of controls identified to support the control objectives.
 In a Type II report, the auditor tests the effectiveness of these controls. Because the
vendor and not the auditor specifies the control objectives being reported on,
potential weaknesses can be identified by noting the types of control objectives
normally associated with the given process that are not included.
 Typically the last section, “User Control Considerations,” normally a one to two-page
section of the report, is a must-read for all. This section identifies those controls
identified by the service auditor that are the responsibility of the customer..
31
About the Presenters
Michael Pinna
Michael Pinna has over 22 years experience auditing IT, financial, and
operational controls across a wide variety of industries including
manufacturing and distribution, financial services, not-for-profit,
technology, and professional services. Michael is currently the Director of the
Information Technology Assurance practice at WeiserMazars LLP and is
responsible for all IT aspects of many of the Firm’s SOX engagements and also
specializes in performing SAS 70 and Sarbanes-Oxley IT reviews. Before
joining Weiser, Michael held positions with First Data Corporation as a
Director of Technology Audit, with Ernst & Young as a Senior Manager, and
with Deloitte & Touche as a Manager. Michael is currently serving as the
Chairman of the Technology Assurance Committee within the New York State
Society of CPAs (NYSSCPA).
Michael can be reached at michael.pinna@weisermazars.com.
32
About the Presenters
Joel Lanz
Joel’s niche practice provides technology risk management, information
security and IT audit services to various organizations. Joel serves on the
Editorial Boards of The CPA Journal and Bank Accounting & Finance, Joel
also serves on the AICPA’s CITP Credential Committee and co-chaired the
AICPA’s 2010 and 2011 Top Technologies Task Force. Joel is an adjunct
professor of accounting at SUNY – College at Old Westbury.
Joel
formerly chaired the NYSSCPA’s Information Technology and Technology
Assurance Committees.
Joel can be reached at jlanz@joellanzcpa.com .
33