Palmer, Robert
ISSC471
Professor Davis
The SAS 70 standard was replaced by a new standard in June of 2011. Please research the new standard published by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). For week two assignment you are required to research the following: (1) Describe the SAS70 standard (2) Describe the SSAE16 standard (3) Compare and contrast SAS70 with SSAE16
SSAE 16 officially replaced SAS 70 as the audit standard for service companies. The change was needed for several reasons, but perhaps most important was to bring the SAS 70 audit standard more in line with Sarbanes-Oxley (SOX). SSAE 16, like SOX, requires the service provider to define their overall business and control processes, plus their assertion of effectiveness prior to a service audit. Then, the service auditors test and assess management’s statements and render an opinion as to their effectiveness. This process is similar to what publically traded companies must endure during their SOX audits: …show more content…
Management is required to assert and attest to the validity of their controls over all their business processes that affect their financial statement even if processes have been outsourced. In contrast, SAS 70 was not assertion based, with SAS 70 the service provider management did not describe and offer an opinion on the effectiveness of their processes and controls. The service provider just outlined the processes they wanted tested, and the auditors tested them and reported on their effectiveness — either good or bad. Like SAS 70, SSAE 16 is to be used when an organization outsources, according to the American Institute of CPA’s (AICPA), “a business task or function and the data resulting from that task or function is incorporated in the (customer’s) financial statements.” This statement creates broad applicability to a significant number of service providers from payroll providers, data center and collocation providers, managed services companies, and an ever-increasing array of cloud services providers.
SSAE 16, just like SAS 70, does not outline the controls that must be covered in the assessment of IT controls. It is for the service provider to decide which controls are essential to the services being provided. And, the service auditor still issues a Type I or Type II report. Both report types rely on management’s description of controls, and the scope of each report is similar to that under SAS
70.
The main difference between SAS 70 and SSAE 16 is the depth of information the service provider must provide to the service auditors, including (among other things):
Management attestation of their overall service offering and underlying control structure
Verification that appropriate criteria are used for system evaluation
Current evidence for every control during each assessment, rather than reusing prior evidence
References
Weiss, M., & Solomon, M. (2011). Auditing IT Infrastructures for Compliance. Sudbury, MA: Jones & Bartlett Learning
SAS70, Retrieved from http://sas70.com/