Advisory – Important Changes to SAS 70 Requirements

From Bud Genovese, Managing Director, AuditOne Inc.

This AuditOne Inc. Advisory Alert is intended to help you become familiar with important changes to the traditional SAS 70 Types I and II reporting process. The new rules, entitled Statement on Standards for Attestation Engagements #16 (SSAE16) replaces the SAS 70 rules, and become effective for reports for periods ending on or after June 15, 2011.  Based on the Statement on Standards for Attestation Engagements issued by the Auditing Standards Board, there are three main changes to understand. You can be confident that AuditOne Inc. has analyzed all the changes and is prepared to lead you step by step to cost-effectively meet all the requirements.  Let’s now take a closer look at what’s new.

  1. Under SSAE16, the service provider must provide a written statement of “the description of the provider’s system” that will be included in Section 2 of the SSAE16 report. This is new and not previously required. This system description is to include: how the system was designed and implemented to process relevant transactions; any material changes to the system during the period covered; statement of the system controls; etc.  AuditOne Inc. can help you prepare every aspect of this statement, ensuring you meet the requirements of new SSAE16 report.
  2. The service provider will provide an “Assertion by Management” of a Service Organization for a Type I or II Report. While this is technically new, it is basically the same content as the “Representation Letter” now done for SAS 70s. The major difference is that this new Assertion by Management letter must now be incorporated into the SSAE16 report. Again, AuditOne Inc. can guide you through the process of meeting this requirement.
  3. The SSAE16 can be accomplished by either the “Carve-Out Method” or the “Inclusive Method.” The Inclusive Method includes a description of the nature of the services and controls provided by subservice organizations. The Carve-Out Method does not examine the controls of the subservice organizations’ systems. AuditOne Inc. recommends the Carve-Out method because it is similar to the familiar SAS 70 process, and it saves you time and money.

We Sweat the Details So You Don’t Have To

AuditOne Inc. is dedicated to working hard to stay current on all the changes, nuances, and requirement techniques of the SSAE16 process. Our skilled audit, technical and security experts deliver the highest quality, cost-effective, responsive SSAE16 and SAS 70 service in the industry. If you have any questions about the new process or would like to schedule a SAS 70 or SSAE 16 review, please contact me.  I’ll be more than happy to help you understand the new procedures, and why AuditOne Inc.’s reliability and cost-effectiveness makes it the market-leading smart choice.