Skip to content


SAS 70 Replaced by Two New Standards

ISACA has announced that the venerable SAS 70 is going away at the end of 2010:

Statement on Auditing Standard No. 70 (SAS 70) will be replaced by two new standards: an attestation standard that will guide service auditors in the conduct of an examination of, and the resulting reporting on, controls at a service organization and an auditing standard that will guide user auditors in consideration of internal control when processing is performed by a service organization.

These new standards are to be used for periods ending on or after June 15, 2010.

  • International Standard on Assurance Engagements No. 3402 (ISAE 3402), Assurance Reports on Controls at a Service Organization
  • Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization

ISAE 3402 is the international standard adopted by the International Auditing and Assurance Standards Board (IAASB), while SSAE 16 is the "local" standard adopted by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).

One of the big complaints about SAS 70 was that it allowed the entity being audited to drastically limit scope. A test may only include physical security, for example, while logical security controls are ignored. An ISAE 3402/SSAE 16 report still allows this gap, however the audit guidelines state that a report should clearly explain what was not included in the review and report.

Likewise, a complaint about a Type 1 SAS 70 was that it did not test for control effectiveness in operations. This is still present in the new standard, but not exactly the same. A Type 1 report is when an auditor reports if a service provider's description "fairly presents" their system and whether controls are "suitably designed to achieve control objectives" by a deadline. A Type 2 report adds to this whether the controls operated effectively over a specified period of time.

Although the Type 2 seems similar upon first review, I noted that there is a major difference with the new standard. A SAS 70 Type 2 audit opinion used to be based upon control status on the final day of a review period. An ISAE 3402/SSAE 16 appears to require the opinion to cover the entire period under review. The new Type 2 now also requires a formal written attestation from management.

Posted in Security.


2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Continuing the Discussion

  1. Tweets that mention SAS 70 Replaced by Two New Standards flyingpenguin -- Topsy.com linked to this post on August 3, 2010

    [...] This post was mentioned on Twitter by Win Security, davi ottenheimer. davi ottenheimer said: SAS 70 Replaced by Two New Standards http://goo.gl/fb/w3N1g [...]

  2. Goodbye SAS70 – The Compliance Strawman linked to this post on August 4, 2010

    [...] controls they are implementing, I found out from an IT Auditor that SAS70 was being retired at the end of 2010. Statement on Auditing Standard No. 70 (SAS 70) will be replaced by two new standards: an [...]



Some HTML is OK

or, reply to this post via trackback.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word