The Auditing Standards Board of the AICPA issued Statement on Standards for Attestation Engagements (SSAE) No. 16, “Reporting on Controls at a Service Organization.” This new Standard is similar to the global standard (ISAE 3402). SSAE No. 16 will supersede SAS No. 70. The effective date for SSAE No. 16 will be for service organization reports with periods ending on or after June 15, 2011.
Here is the excerpt verbatim from the AICPA:
Q. — Will entities now become “SSAE 16 certified”?
A. — No! A popular misconception about SAS 70 is that a service organization becomes “certified” as SAS 70 compliant after undergoing a type 1 or type 2 service auditor’s engagement. There is no such thing as being SAS 70 certified and there will be no such thing as being SSAE 16 certified. An SSAE 16 report (as with a SAS 70 report) is primarily an auditor to auditor communication, the purpose of which is to provide user auditors with information about controls at a service organization that are relevant to the user entities’ financial statements.
The answer is a resounding and definitive “No!” According to an article I found on Datamation: How Cloud Computing Security Resembles the Financial Meltdown, putting all your faith in a vendor’s claim to be SAS 70 certified is one of the riskiest move you can make on behalf of your company.
“Who’s issuing these certifications?” it asks. “And where’s the money coming from to pay the auditors checking off the list?” The answer is always: the vendors themselves. Which makes sense, right? Who else should pay a third party auditor to cross-examine a vendor’s internal processes but the vendor, as a courtesy, convenience, and assurance to its customers that they have their act together and can be trusted.
The point made in the Datamation article was that it was third party auditors who signed off all those shoddy sub-prime mortgages as AAA-rated assets, and they were paid by the schmoes needing the recommendation. Shady enough for you? It certainly doesn’t inspire the greatest confidence in organizations that likewise pay their auditors, and that’s not entirely fair.
Of course, there is always the option to hire your own auditor instead of relying on the group hired by the company you’re investigating, but not many of us can bear the expense. It ends up being an excellent PR move for vendors to stamp a “SAS 70 Certified” icon on their site with the message: “Your data is safe with us. We’ve been certified.”
Savvy consumers would request tangible proof, a report of some kind that they can hold in their hand, and requesting this report is the first step in doing your proper due diligence. As nice as it would be to take anyone’s word for it when they promise you the world, it’s a luxury that has probably never existed in any bygone era. The reality is you’ve got to do your research, and any company you do business with has to have the history and the list of satisfied clients to back them up and give a little weight to their claims.
In my personal opinion, it should be a good sign if the company you’re thinking of using as your cloud computing provider can say it’s SAS 70 certified and then prove it. Especially if it’s also gone through the trouble to become certifiably PCI Compliant. And then even more especially if it can give you a list of client referrals that can attest to their positive experience with that particular provider. Altogether it means that the company has its head on straight, is up-to-date on current industry standards, and is proactively on top of its game. It will go that extra mile to grant its customers the assurance they need to entrust their data to them, and that in itself is a valuable consideration to have when you’re comparing the top providers.
So what is the bottom line to my company?
If you are a service provider, having a SAS 70 report ready can mean a shortcut for your company to help its customers with their auditing and compliance needs. It can help your company to maintain security and policy awareness, which will build your ability to perform in an ever more risk-adverse financial world. Likewise, such certifications are growing increasingly attractive to potential clients and can make or break a deal.
An SAS 70 audit can be a real walk in the park if you are confident that your policies are well documented, and properly followed by your employees. This is something you need to do anyway to ensure the viability of your company as a service provider. As long as you are already implementing policies and procedures and following them correctly, your audit should be a painless and interesting process which will help you get an outside person’s view into your daily workflow.
If you have service providers you do business with and need to make sure they are staying compliant with their own policies, an SAS 70 report can help your company to feel more secure about the providers you do business with. Additionally, if you need to comply with industry standardization requirements or policy requirements internally, you can save your company and your auditors’ time and money by having an SAS 70 report on hand from each of your major service providers.
What if I want more specific guide lines on what to do before getting a SAS 70 Audit?
Groups such as the Information Systems Audit and Control Association (ISACA) and The IT Governance Institute have published many frameworks and guides for information security and auditing. Other standards that companies may be required to adhere to (such as PCI-DSS etc.) may actually have more specific requirements that can easily be used to create policies and procedures that will allow a SAS 70 audit to be performed.
Can I fail a SAS 70 audit?
Yes, actually you can. When a service provider is audited, their report can be given an ‘unqualified opinion’ on whether they have policies and procedures as desired and whether they comply with them. An ‘unqualified opinion’ is essentially a ‘passing’ grade. If the service provider either cannot produce the policies and procedures as desired or they fail to demonstrate compliance with their policies and procedures, a ‘qualified opinion’ is given at the end of the report. Essentially, the report will include a ‘qualification’ for each deviation from policy/procedure. This is not exactly a failure, per se. It simply means that the report shows that the service provider is not in 100% compliance with their own desired policies and procedures. The report would have to be considered in more depth by a customer’s auditors to determine what that particular shortcoming means to that particular customer.
Essentially, even though any given service provider will determine their own policies and procedures that they need to comply with to have an unqualified SAS 70 report, it is not uncommon for a service provider to fail to enforce those policies and procedures or to find that employees are either not properly trained on procedures or not following them properly. That is why the auditing needs to be done on a recurring basis and a Type II report can be much more meaningful than a Type I report. If a service provider fails to comply with their own policies, they would need to correct whatever issue caused a qualification to be listed on the report and then repeat the audit process to have a new report generated.
Will my Service Provider’s SAS 70 report expire and does it need to be renewed?
Not really. The report targets auditing of either one point in time (Type I) or a specific time period (Type II) such as a 6 month period of auditing. Therefore a report is valid as long as it was correctly produced. Of course things change and companies procedures and policies and their ability to execute them will change over time as well, so realistically a report is of less and less value the older it is. Any given provider will probably want to–or be required by their customers–to have a new report generated on a yearly basis as it seems reasonable to ensure that policies are up-to-date and followed appropriately.
So what good will it do me to get a report from my Service Provider?
Well, if your company is already subject to industry standardization requirements such as PCI-DSS, Sarbanes-Oxley, or other standards, your auditors will probably make repeated requests to obtain information from your various service providers about their security procedures and policies. Having a Type I or Type II SAS 70 report on hand will allow the service provider to easily supply information to auditors in a familiar manner that should satisfy a lot of those requests which will save your auditors time and save you money.
If you are a service provider, the reverse applies to you. Having a Type I or Type II report ready to go means you can provide information to your customers that makes their lives easier and helps them get back to business.
Wait, there is more than one kind?
Actually there are two types of SAS 70 audit reports, Type I and Type II. Type I is a ‘report on controls placed in operation’. Type II is a ‘report on controls placed in operation and tests of operating effectiveness’. The only difference is the additional testing of the effectiveness of established operations.
A Type I report states the auditor’s opinion on the service provider’s ‘controls’ or policies and procedures at a particular point in time (the time of the audit). Basically it gives a good idea of whether the controls are fairly presented, whether they are well designed to achieve the desired objectives, and whether they were in place at the time of the audit. The Type I report essentially provides a quick snapshot idea of a service provider’s policies and procedures as they are defined by the service provider in question.
A Type II report is similar to a Type I report but expands the scope from a single auditing instance to a longer period of time, such as 6 or 12 months to provide a more complete idea of whether the service provider is really complying with their own policies and procedures on a day to day basis. This kind of report can be much more revelatory to most groups because almost anyone can quickly fake up some compliance efforts for a day while the auditor is in the office.
What companies really need some kind of SAS 70 auditing and verification?
Commonly, SAS 70 applies to companies that handle financial transactions, credit information, or other private data on a routine basis. However, if your company provides services that have to do with any industry where security of information is considered important, such as medical information, public security information, or insurance claims and information, you should consider at least using SAS 70 as a guide to help you prepare for implementing compliance.
You don’t need to worry about the specifics of your service provider’s compliance because there is no real hard set of rules that govern SAS 70 compliance. Each service provider’s rules and policies will be different because SAS 70 is a financial auditing statement, not a security policy certification. It concerns itself with assuring the appropriateness and efficacy of a service provider’s ‘controls’. Basically whatever the service provider deems to be important to control, it must have policies and procedures to do so and it must follow them in order for a SAS 70 audit to produce a ‘successful’ report.