SAS 70 Is Dead!

Monday, November 15, 2010

PCI Guru

Fc152e73692bc3c934d248f639d9e963

Long live SSAE 16 and ISAE 3402!

One of the most misunderstood things about SAS 70 was the fact that it was technically only a valid auditing standard in the United States, even though SAS 70 reports are done for non-US based service providers and are relied upon by businesses and auditors worldwide. 

However, on or before June 15, 2011, that will change.  As of that date, Statement on Standards for Attestation Engagements (SSAE) 16 and International Standards on Attestation Engagements (ISAE) 3402 will replace the venerable SAS 70. 

SSAE 16 is issued by the American Institute of Certified Public Accountants (AICPA) and ISAE 3402 is issued by the International Federation of Accountants (IFAC).

The good news is that, for the most part, SSAE 16 and ISAE 3402 are essentially the same.  There are a few differences that are important to financial auditors and lawyers, but should not have an impact on people relying on these reports for PCI compliance or other purposes. 

What is important is that now, no matter where you are in the world; you can obtain an independent assessment of a service provider’s controls.

The other piece of good news is that an SSAE 16 report, under AICPA Service Organization Control (SOC) 2 and SOC 3, can include controls relevant to security, availability, processing integrity, confidentiality and/or privacy. 

Under AICPA SOC 3, which covers trust services such as those defined by ISO, ITIL, PCI, HIPAA or GLBA, controls from these requirements can also be covered in an SSAE 16 report. 

The difference between SOC 2 and SOC 3 reports is that a SOC 2 report’s distribution is restricted to only those organizations already contracted with the service organization whereas a SOC 3 report does not have restricted distribution.

According to what we have heard from the AICPA, the SOC 2 and SOC 3 reports have to be separate reports and guidance on how these reports need to be structured is expected by the end of 2010. 

So please do not bug your friendly CPA until after the first of 2011 regarding the new reporting standards.

Unfortunately, financial auditors outside of the United States are, for the most part, unfamiliar with conducting such an assessment of controls.  As a result, they will need time to get up to speed on such attestation engagements. 

So those of you outside of the United States need to be patient while the auditors in your country get up to speed.

The bottom line is that we are expecting to see a lot of SOC 3 type reports that will cover ITIL, HIPAA and PCI requirements as part of their testing. 

So start asking your service providers now for an SSAE 16 or ISAE 3402 report now so that your service provider can start asking their auditor to prepare such a report.

Cross-posted from PCI Guru

Possibly Related Articles:
15008
PCI DSS
PCI DSS Compliance SAS70 ISAE 3402 SSAE 16
Post Rating I Like this!
C643eec6350152c6c3fbd1288578d98a
Terry Perkins Thanks for the information. I didn't know SAS 70 was going away.
1289843880
Default-avatar
Online Tech Great article, we have a similar blog post on our blog about how the new standards affect cloud computing and other hosting solutions:

http://resource.onlinetech.com/sas-70-is-dead-long-live-soc-2-soc-3/
1302797018
Fc152e73692bc3c934d248f639d9e963
PCI Guru Because of the newness of the SSAE 16 standard, the AICPA has further refined their definitions of SOC 1, 2 & 3. See my updated post on my blog at http://pciguru.wordpress.com/2010/10/18/sas-70-is-dead/ that clarifies the latest definitions/rules regarding SOC 1, 2 & 3.
1306436557
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.