Quick Links

Legal & Sitemap

Home > Trends & Insights > Changes to the SAS 70 Landscape


Thursday, March 31, 2011

Changes to the SAS 70 Landscape

The American Institute of CPAs (AICPA) recently issued the new controls auditing standards that build on and replace the almost twenty-year-old SAS 70 standards and will affect reports issued after June 15, 2011. These updated standards were needed as business has evolved drastically since SAS70’s inception and the standard had not evolved accordingly. The new standards, called Service Organization Control (SOC) reports provide for greater focus on controls that are specific to the objectives that are most relevant to service organization customers.

SAS 70 Evolution

SAS70 was introduced in 1992 at a time when outsourcing was in its early stages.  Many companies found it beneficial to outsource key business processes (e.g. payroll, transaction processing, etc.) but retained the majority of their IT processes in-house. The outsourcing of key business processes raised a concern about how those processes were performed by the service organization on their client’s behalf. To solve this issue, SAS70 was introduced as an auditor-to-auditor communication that provided reasonable assurance over the design and operating effectiveness of controls in place for a given period of time.

As businesses continued to evolve and outsourcing increased, a stronger focus was placed on corporate governance, and SAS70 came under increased pressure. The standard which was originally intended to be used for transaction processing that impacts financial reporting was now being used for a wide variety of assurance needs and was commonly being referred to as a certification. To combat these issues, the AICPA went through a lengthy process that introduced significant revisions.

New and Improved Reporting

The new standard includes three separate types of SOC reports that address assurance for service organizations. For each type of SOC report, there is an accepted professional standard under which the audit will be performed. This allows for a common nomenclature when referring to reports going forward while allowing for a more frequent update of the professional standards. The table below provides an overview of the SOC reports and related professional standards.




  • Specific to service organizations with the potential to impact their customers' financial reporting.
  • Applicable Professional Standard: SSAE No. 16, Reporting on Controls at a Service Organization
  • Meets the needs of a broad range of users
  • Addresses assurance related to security, availability, processing integrity, confidentiality and privacy
  • Applicable Professional Standard: AT 101, Attestation Engagements
  • Similar to SOC2
  • Allows general, public distribution of report
  • Similar to SysTrust
  • Applicable Professional Standard: AT 101, Attestation Engagements

The SOC 1 report is most similar to the current SAS 70 report with a few key changes. It focuses on outsourced processes that have the ability to impact financial reporting.  The professional standard that relates to this type of report (SSAE 16) is new as well.

While similar to SAS70, SSAE No. 16 introduces several key differences, including:

  • Attestation Standard:  The move to an attestation standard creates additional due diligence that the service auditor must perform.
  • Auditor-to-Customer Communication:  The SAS70 audit standard was an auditor-to-auditor communication, meaning it was intended for the customer’s auditor of a service organization.  The revised standard is intended to be an auditor-to-customer communication, meaning the intended audience is a service organization’s customer.
  • Focuses on a Client’s “System”:  Where the SAS70 audit standard focused only on controls, the revised standard focuses on the people, process and technology related to the achievement of control objectives.
  • Management Must Provide Assertion:  Similar to SOX section 302, management must provide an assertion regarding the fair presentation, design and operation of controls.  This change relates only to SOC 1 audits.
  • Focus on Subservice Providers: If a company outsources a portion of their process or IT environment, the SOC 1 standard requires that they obtain a written assertion regarding the design, presentation and operating effectiveness of their controls.
  • International Reach: The SOC 1 professional standard (i.e. SSAE 16) has an international component that allows for easier adoption for clients doing work outside the US.
  • Design “As Of” Date: The SAS70 audit standard had the control design effective as of the final date of the audit period.  For the new standard, the design will be as of the first date of the audit period.  This limits the ability for management to make adjustments to their control design during the audit period.

SOC 2 reports meet the needs of a broader range of users and addresses assurance related to security, availability, processing integrity, confidentiality and privacy. These areas of assurance arise with companies providing outsourced services that may not be transactional in nature, such as cloud computing, data center hosting or Software as a Service.  These reports now fill the need of organizations who were clamoring for a tool they could use to provide assurance where SAS70 could not meet or was not appropriate to meet those needs. The accepted professional standard is AT 101, a general audit standard that gives flexibility in designing the scope of the audit. The AICPA has indicated that a revised professional standard will be issued sometime in 2011.

The SOC 3 report meets a similar need as the SOC 2 report, but allows for general, public distribution. The SOC 3 report contains only a summary opinion from the auditor of the effectiveness of controls, rather than the detailed description of the testing performed. The SOC 3 report also differs as it offers a way to become certified and to display the certification seal for others to view. This assures potential and existing customers that their data is secure and your company is operating under a higher level of controls and processes.

Ultimately, the separation of SOC 2 and SOC 3 report types allow for the reports to be more specific to the type of assurance that is trying to be achieved. For example, a company wanting to provide a higher level of assurance to the public would leverage the SOC 3 reports while a company wanting to provide deeper assurance to their clients could choose to leverage the SOC 2 reports.  In some cases, companies may choose to do both a SOC 2 and a SOC 3 audit to address assurance concerns of both customers and prospects.

Steps for a SSAE 16 Audit

Getting ready for the change in audit standards is relatively straight-forward, especially if you have been through this type of audit in the past.  Armanino recommends a six step approach increasing your chances for a successful audit.





Assess the components of your control environment.  SSAE 16 (the accepted SOC 1 standard) refers to this as your system.  You should evaluate your people, processes and information technology systems to identify issues that potentially threaten the achievement of your control objectives.



Once you have identified items that threaten the achievement of your control objectives, you need to design controls to prevent and/or detect these risks.  Be sure that your control design includes who operates the control, how often it operates, where it operates and what the output or evidence of the control’s operation is.


Test & Monitor

To make an assertion about the design and operation of controls, management must implement monitoring activities.  This can take the form of internal audit projects, quality assurance functions or peer reviews.  The desired output is facts that can be presented to senior management when they make their assertion about their controls (see next step for Assertion details).



This step only relates to SOC 1 reports.  Management must prepare an assertion that is presented to their service auditor.   This assertion must include details related to fairness of presentation, suitability of design and operating effectiveness (Type 2 report only).


Independent Evaluation

This process doesn’t change much if you have been through a SAS70 audit in the past.  This is where you will engage a third party provider that is an AICPA registered firm to perform the audit on your behalf.



The result of the audit procedures performed by your service auditor is the production of a SOC 1, 2 or 3 audit reports that can then be distributed to your customers.

Consequences/Benefits of SSAE 16

Although there is little direct consequence of non-compliance (e.g. fines or financial penalties), there are several subtle consequences that may arise from not having a current SOC report:

Market Perception: The focus on corporate governance and internal controls continues to be in the public spotlight.  As part of this push, many companies are now looking for their business partners to adopt practices similar to those they maintain in-house.  Service providers who do not have a current SOC report may find themselves at a disadvantage when working with existing clients and prospects because of this lack of demonstrated governance.

Client Governance Processes: Over the past several years, Armanino has seen companies moving from asking for a SOC report to requiring a SOC report before they will do business with a company.  Not having a current SOC report may limit your ability to engage with business partners that are essential to the achievement of your corporate vision and strategies.

Client Audit Requests: Not having a current SOC report or having a SOC report that does not address all areas that are key to your client’s operations may result in increased audit requests from your customers.  Responding to these audit requests can become time-consuming and costly.

How Armanino Can Help

Armanino can help by assisting your organization with the readiness process. This includes providing input and oversight for management’s design of controls, drafting control narratives and creation of policies and procedures. We can also assist with the execution and issuance of reports (SOC 1, 2 or 3). We have provided SSAE 16 and SAS 70 audit services to leading middle-market and strategic growth companies since the adoption of SAS 70 in 1992. We have developed an effective and efficient leading-class methodology that provides quality service and speed to value. Armanino is recognized by our clients as not just auditors but trusted business advisors that truly add value to our clients business.


comments powered by Disqus