Presentation: The Demise of SAS 70 What’s Next?The Demise of SAS 70 - What s Next?

September 15, 2011

Jeffrey Ziplow - PartnerPresenters:

Jennifer Gerasimov – Senior Manager

Jeffrey Ziplow PartnerBlumShapiro

Presenters:

gDeloitte.

1

o SAS 70 Background and Overviewgo Purpose of a SAS 70o SAS 70 Mythso SAS 70 Mythso AICPA Trust Services

SSAE 16 Terminologyo SSAE 16 Terminologyo Similarities Between SAS 70 & SSAE 16

Diff B t SAS 70 & SSAE 16o Differences Between SAS 70 & SSAE 16o SOC 2 & 3 Principles & Reporting Overview

2

o The Demise of SAS 70o The Death of SAS 70o The Birth of SSAE 16o The Birth of SSAE 16o A Realignment of SAS 70 to SSAE 16

3

o An auditing standard developed by the American Institute of Certified Public Accountants (AICPA)

o Audit standard adopted by AICPA in 1992o End product is SAS 70 Report - With an opiniono Allows 3rd Party service organizations to

demonstrate they have adequate controls/safeguardso Between 1992 – 2002, Limited useo Sarbanes-Oxley Act of 2002 revived SAS 70

Auditing Standardo Since 2002, most widely recognized and used

internal controls auditing standard4

• SAS No. 70 provides the requirements p qand guidance for CPAs reporting on controls at service organizations and for user auditors auditing the financial statements of user entities that use a

i i tiservice organization.

5

o Type I Auditypo Report on design of controlso Controls are for a point in time (e.g. 9/15/2010)p ( g )o Limited value

o Type II Auditypo Report on tests of operating effectivenesso Controls tested over an agreed period (6 months)g p ( )o Most organizations want this type of report

6

o SAS 70 is produced as a result of an audit performed by a CPA to report on the processing of transactions by a service organization

Over time the use of a SAS 70 report has changedo Over time the use of a SAS 70 report has changedo Used as a marketing toolo Provides an independent validation/assurances of a

service organization to potential clientso It allows the third-party service providers to have

one audit and share the results with all of itsone audit and share the results with all of its clients….but this was not the original purpose or intention!

7

o The classes of transactions in the entity’s operations h i ifi fi i lthat are significant to financial statements.

o The procedures, both automated and manual, by which the entity’s transactions are initiated recordedwhich the entity s transactions are initiated, recorded, processed and reported are under the control of an organization separate from the reporting entity.

o The occurrence of a transaction that is included in the entity’s financial statements does not begin and conclude under the entity’s control.

o The relevant accounting records, whether electronic or manual, supporting information, and specific accounts in the financial statements involved in initiatingin the financial statements involved in initiating, recording, processing and reporting the entity’s transactions are under the control of the outsourcer.

8

o It’s a technology audit onlyo I have to do a Type I before a Type IIo It’s an audit with a Pass/Fail statuso I only need to do a SAS 70 Audit onceo Should be used for all types of service

i i i ll i iorganizations in all situationso SAS 70 is a Certification

9

SysTrust WebTrustTrust Services

SysTrust WebTrustTrust Services

Security Availability Processing Integrity Confidentiality Privacy

10

o The globalization of information technology and g gyincrease in business process outsourcing.

o A highly demanding and changing regulatory g y g g g g yenvironment.

o U S convergence with international standardso U.S. convergence with international standards.

o Better structure with more consistent standards**

11

Topic SSAE 16 GuidanceTopic SSAE 16 Guidance

Terminology –SSAE 16

Reports on controls at service organizations will now be performed and issued under SSAE 16.

A ‘SAS 70’ report will no longer exist.

Effective Date Periods ending on or after June 15, 2011.

Scope Specific to covering internal control over financial reporting.

Additional Guidance AICPA Practitioner Guide issued June 2011.

Practitioner guide will be usable for both the US and International standards and provide information for practitioners and servicestandards and provide information for practitioners and service organizations.

12

N St d d & O tiNew Standards & OptionsService Org C t l 1

Service Org C t l 2

Service Org C t l 3Control 1 

(SOC 1)

SSAE16 – Service di id

Control 2 (SOC 2)

AT 101

Control 3 (SOC 3)

AT 101auditor guidance

Generally Restricted Use Report 

(Type I  or II Report)

General Use Report

(w/ public seal)

Restricted Use Report 

(Type I or II Report)

Purpose: Reports on controls for F/S audits

( yp p )

Purpose: Reports on controls related to 

compliance or operations

(w/ public seal)

Purpose: Reports on controls related to 

compliance or operations

(Type I  or II Report)

Trust Services Principles & CriteriaHistorically SAS 70 Reports

13

• Issuance of Type 1 and Type 2 reportsM i ibl f h d i i f h• Management is responsible for the description of the system

• Management to specify control objectives• Requirement for management to design and implement

l h hi h l bj icontrols that achieve the control objectives• Disclosure of complementary user entity controls (UCCs)• Carve out and inclusive method of reporting for subservice

i iorganizations• Management to provide representation letter• Restricted Use Report• Ability to include information in a separate section (i.e.

Section 4)

14

Change Result of the Change

1. Form of Standard - Auditing Standard to an Attest Standard

2 A li bilit f R t S ifi t i t l t l fi i l ti2. Applicability of Report - Specific to internal control over financial reporting

3. Type 2 Report to cover a period rather than i t i ti

- The opinion will now include coverage throughout the i d f d i ( ) i l t ti ( ) dpoint in time period for design (new), implementation (new), and

operating effectiveness

4. Cannot use prior-year evidence to determine operating effectiveness of controls

- Auditor may not reduce tests of controls below the minimum standards (AU350) based on the results from the prior yearoperating effectiveness of controls standards (AU350) based on the results from the prior year

5. Clearly identify work performed by Internal Audit function in description of tests of

- Description of tests of operating effectiveness needs to include description of Internal Audit’s work and Service p

controlsp

Auditor’s procedures over Internal Audit’s work (not applicable for direct assistance)

15

Change Result of the Changeg g6. Service Auditor to investigate the nature

and cause of any deviations and whether these were caused by intentional acts. Cannot disclaim deviation as isolated.

- Previous standard allowed disclaiming of deviations as isolated incidents

- New consideration of intentional acts

7. Identify risks that threaten the achievement of control objectives

- Management needs to identify risks that are included in the evaluation of the design of controls and development of control objectives [refer to sample at Appendix C]j [ p pp ]

8. Requirement to assess suitability of criteria - Management needs to select suitable criteria to prepare description of systems and to evaluate whether controls have been designed, implemented and operating effectively.

9. Management is required to provide a written assertion

- Management needs to have a basis to support their assertion [refer to sample at Appendix A]

10 S b i i i i d l i b i i i d l id10. Subservice organizations are required to provide a similar assertion when the inclusive method is used

- Inclusive subservice organization needs to also provide an assertion that is included in the report (inclusive method only)

16

• One of the most significant changes is the requirement for management to provide a written assertionfor management to provide a written assertion

• Assertion will be included in the report - either attached to or part of the description of the service organization'sto or part of the description of the service organization s system.

• Management will need to have a reasonable basis forManagement will need to have a reasonable basis for making the assertion. The Standards provide some flexibility in actual procedures performed by managementmanagement.

• Risk Assessment-Service organization management must identify risks that threaten the acheivement of the ycontrol objective.

17

f Ass

erti

on

SOX Testing

Reasonable basis for managements assertion*

Leve

l o SeparateEvaluationsOngoing

Monitoring

No Basis

Example • Service auditor • Management reporting and other • Internal Audit testing/monitoring • Management or Procedures performs testing

and issues reportoversight activities

• Management risk assessment• Independent regulatory exam

• Independent risk assessment

independent assessment of operating effectiveness

Supporting Documentation

• None • Management monitoring documentation

• Management risk assessment documentation

• Regulatory reporting

• Internal Audit reporting

• Independent risk assessment results

• Testing evidence for the operating effectiveness

18

• Use of Internal Audit• When using the support of Internal Audit for controls testing, there are new

requirements related to the reporting of the use of Internal Audit within Section 3requirements related to the reporting of the use of Internal Audit within Section 3 of the report.

• Subservice Organizations• Carve Out - It’s expected that the Service Organization will do something – they

’t j t t bli dcan’t just turn a blind eye.• Inclusive - Subservice organization has to provide both an assertion (to be

included in the report) and representation letter.• User Entities / User Auditors

• Education and notice to user entities• Potential for refinement of user contracts• An SOC 1 report is strictly for the processing of transactions related to ICFR• Recommended Reading from ISACA: New Service Auditor Standard – A User

E tit P tiEntity Perspective• Changes to the SOC 1 Opinion

• The opinion references management’s assertion and their responsibility for identifying risks that threaten achievement of the control objectives.

• The opinion does NOT include a statement on whether management had a reasonable basis for providing their assertion.

19

New Standards & OptionsService Org Service Org Service OrgService Org Control 1 (SOC 1)

Service Org Control 2 (SOC 2)

Service Org Control 3 (SOC 3)

SSAE16 – Service auditor guidance

Generally Restricted Use Report 

AT 101

General Use Report

AT 101

Restricted Use Report

Purpose: Reports on controls for F/S audits

p(Type I  or II Report)

Purpose: Reports on controls related to 

compliance or operations

p(w/ public seal)

Purpose: Reports on controls related to 

compliance or operations

Report (Type I  or II Report)

Trust Services Principles & Criteria

20

SecuritySecurity

IT security policy

Security awarenessand communication

Ri k t

Physical access

Environmentalcontrols

S it it i

Incident management

Asset classificationand managementSystems development

Personnel security

Configurationmanagement

Ch tRisk assessment

Logical access

Security monitoring

User authentication

Systems developmentand maintenance

Change management

Monitoring andcompliance

Availability Confidentiality Processing Integrity Privacy

Availability policy

Backup and restoration

Disaster recovery

Confidentiality policy

Confidentiality of inputs

Confidentiality of dataprocessing

System processingintegrity policies

Completeness,accuracy, timeliness,

Management

Notice

Choice and consent

Business continuitymanagement

processing

Confidentiality of outputs

Information disclosures(including third parties)

fid i li f

y, ,and authorization ofinputs, systemprocessing, and outputs

Information tracingf t

Collection

Use and retention

Access

Disclosure to thirdConfidentiality of

Informationin systems development

from source todisposition parties

Quality

Monitoring and enforcement21

SOC 2 has a similar structure and general approach to SAS 70 / SOC 1o A SOC 2 report does not need to cover processing related to financial reporting, nor

is it intended to support financial reporting for your users.

SOC 2 can be supplied to a wider audience. o Intended users are management of the service organization, user entities, and other

“specified parties.” o Specified parties can be anyone who understands the nature of the services being

provided by the service organization, how the service organization operates, and p y g , g p ,internal controls.

o Most practitioners who have looked at SOC 2 feel it will provide more detail throughout the report; narrative section, control activities, tests, etc. than the existing reportsexisting reports.

SOC 3 allows for unlimited distribution o Public Seal and “Certification”o However, a SOC 3 does not include the testing detail or description of the controls , g p

22

SOC 1 Report

SOC 2 Report

SOC 3Report

Professional standard used SSAE 16 AT 101 AT 101Used by auditors to plan and perform financial audits

Yes No No

Used by user entities to gain confidence and l i i i i

No Yes Yesplace trust in service organization systems

Obtain details of the processing performed and related controls, the tests performed by the service auditor and results of those tests

Yes Yes No

service auditor and results of those tests

Report generally available - can be freely distributed or posted on a website as a “SysTrust for Service Organizations” seal

No No Yes

23

Provider of Cloud Computing Servicesl O d il S iExample: Outsourced Email Services

• Not significant from a financial reporting standpoint; therefore, SOC 1 may not be the right option.

Call Center ServicesCall Center Services• User Organizations may be concerned about handling of end-

customer information and a SOC 2 report may demonstrate that there are controls encompassing the security, confidentiality, and p g y yprivacy of information

Medical Claims Processing Service Provider• A SOC 2 report focused on processing integrity (completeness,

accuracy, timelines, etc.) could provide customers with comfort regarding the controls over transactions in claims processing. This may be prepared in addition to a SOC 1 report leveraging existing controls and testing.controls and testing.

24

Jennifer Gerasimov, MPH, CISA Jeffrey Ziplow, MBA, CISA, CGEITPSenior Manager

Deloitte.860-725-3149 – Work860 805 0838 C ll

PartnerBlumShapiro860-561-6815 – Work860 12 9 C ll860-805-0838 - Cell

jgerasimov@deloitte.com860-712-9555 - CellJziplow@blumshapiro.com

25