ISACA has announced that the venerable SAS 70 is going away at the end of 2010:
Statement on Auditing Standard No. 70 (SAS 70) will be replaced by two new standards: an attestation standard that will guide service auditors in the conduct of an examination of, and the resulting reporting on, controls at a service organization and an auditing standard that will guide user auditors in consideration of internal control when processing is performed by a service organization.
These new standards are to be used for periods ending on or after June 15, 2010.
- International Standard on Assurance Engagements No. 3402 (ISAE 3402), Assurance Reports on Controls at a Service Organization
- Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization
ISAE 3402 is the international standard adopted by the International Auditing and Assurance Standards Board (IAASB), while SSAE 16 is the “local” standard adopted by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).
One of the big complaints about SAS 70 was that it allowed the entity being audited to drastically limit scope. A test may only include physical security, for example, while logical security controls are ignored. An ISAE 3402/SSAE 16 report still allows this gap, however the audit guidelines state that a report should clearly explain what was not included in the review and report.
Likewise, a complaint about a Type 1 SAS 70 was that it did not test for control effectiveness in operations. This is still present in the new standard, but not exactly the same. A Type 1 report is when an auditor reports if a service provider’s description “fairly presents” their system and whether controls are “suitably designed to achieve control objectives” by a deadline. A Type 2 report adds to this whether the controls operated effectively over a specified period of time.
Although the Type 2 seems similar upon first review, I noted that there is a major difference with the new standard. A SAS 70 Type 2 audit opinion used to be based upon control status on the final day of a review period. An ISAE 3402/SSAE 16 appears to require the opinion to cover the entire period under review. The new Type 2 now also requires a formal written attestation from management.