Will SAS70s no longer be necessary for Service Providers?

Professionals that conduct SAS70 audits and the organization that develops auditing standards (American Institute of Independent Certified Public Accountants - AICPA) both warn that statements made my service providers often mischaracterize the nature and purpose of the SAS70.

Often vendors imply a level of assurance that may or may not exist, they call it “marketing”. Often customers “assume” that a SAS70 covers their business need. This is usually caused by a lack of due diligence or knowledge on the part of the customer. Another problem is that the stated objectives in the SAS70 are often difficult to translate into the legal or business requirements.

A SAS70 is Statement on Auditing Standards No. 70 that was developed by the AICPA. It is a process where a CPA verifies that the controls are reasonable to mitigate risks that some defined objectives are being met. The company paying for the SAS70 defines the objectives. They develop a reasonable set of objectives they think would be important to their customer base, or ones they actually meet. Since a provider attempts to sell their product to multiple industries that must comply with multiple regulations they usually come up with a generic set of objectives that covers broad topics such as availability, security, privacy, etc. The problem is that the controls that the auditor declares as “reasonable” do not necessarily meet the regulatory requirement of the customer such as GLBA, Massachusetts Privacy Act or other regulations that organizations must be compliant.

SaaS (Software as a Service) providers often indicate that their application is hosted in a SAS70 Type II data center. If they don’t have one of their own, it does not cover application change management, application security, availability, privacy, etc. Again, it is up to the customer of the service to determine if the vendors SAS70 meet their business and regulatory needs, not the vendor.

The AICPA is now creating a new process called “Service Organization Controls” (SOC) that defines three options for auditor reports of service providers. Once issued, they will effectively replace SAS 70 as the standard for reporting on service organizations.

SOC1 -  (also known as SSAE16) a service organization provides a very detailed description of its financial related controls to which an auditor will attest. SSAE16 mirrors and complies with the new international service organization reporting standard – ISAE 3402. Effective June 15, 2011.

SOC2 – a new option being formulized will be a similar detailed examination of a service firms controls over security, privacy, confidentiality, availability and process integrity. The auditor will have its discretion to restrict its use.

SOC3 – represents a rebranding of the little used Trust Services attestation and will address the same five non financial domains. It will continue to offer the “SysTrust Seal” which is very much like a certification that can be used for marketing purposes.

The AICPA hopes that these new options will “clear up the marketplace” but unfortunately it will most likely make it murkier before it makes it clearer.

The following table describes the broad areas covered by the new Service Organization Controls:
 

Security The system is protected against unauthorized physical and logical access
Availability The system is available for operation and use as committed and agreed
Processing Integrity System processing is complete, accurate, timely and authorized
Privacy Personal information is collected, used, disclosed and retained as committed or agreed.
Confidentiality Information designated as confidential is protected as committed or agreed.

Since some of today’s privacy and confidentiality regulations are becoming technically specific, the SOC attestation still may not necessarily cover an organizations regulatory requirement, only your own due diligence will provide that information.

In closing, review these tactical guidelines, the first two published by Garner from their recent Gartner Information Security Summit:

  •  If you can't prove otherwise, the only safe assumption is that an external provider is not meeting your security, continuity or compliance requirements.

  • Never assume that a SaaS application is appropriately secure for your business requirements. Demand that vendors provide evidence.

  • Map your regulatory requirements against your vendors SAS70 or SOCx report to determine if your regulatory obligations are being met.

  • Document or strengthen your controls for Security, Availability, Processing Integrity, Privacy and Confidentiality.

      Although SAS70s may soon no longer be in required, the new SOCx process will prove to be more comprehensive and most likely, more costly.

 

Contact Visage Solutions today to see how we can assist you with this and other compliance matters.

_________________________________________________________________________

About Visage Solutions – www.VisageSolutions.com

Visage Solutions is a consulting company operating in the areas of regulatory compliance, risk assessment, information security, risk management and compliance processes. Utilizing our proprietary SingleVue™ and OpsAudit™ methodologies, the company focuses on assisting business entities in mitigating operational risk. Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. Our team is comprised of experienced executives, managers and consultants who can assist clients with the development, implementation and execution of their risk management and compliance strategy.

 
 


"The Visage Risk assessment tool and methodology allowed us to respond the risk assessment requirements of the FFIEC in a timely and cost effective manner ".
   Robert Kernodle, SVP and Risk Officer of Cornerstone Bank
 
"Although there is always a degree of subjectivity in any risk assessment, the Visage Risk Assessment tool and methodology is one of the best I've seen in removing subjectivity and providing the underlying support for the scoring system".
   Patrick Camblin Senior Partner in Camblin CPA, PLLC

if you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2010 Visage Solutions, LLC.