Changes to SAS No.

70 and the Impact on the

Audit Function and Information Security

Presented by: Peter Viglucci, CISA, CRISC

Director of Technology, P&G Associates

P&G Associates - 646 Highway 18, East Brunswick, NJ 08816 - (877) 651-1700
pviglucci@pgcpa.com - www.pandgassociates.com
Objectives
Who, what, why, and how
Who do the changes affect?
What is changing?
Why is there a need for a change?
How will the changes impact new business, audit, and information
security?

2
Who?
Terminology definitions

Terminology Our Example

User Entity The bank
Service Organization The core processing and data storage
vendors
Service Auditor The auditor conducting an examination of
controls as implemented by the vendors
User Auditor The banks audit function (internal,
external, and regulatory) who consider the
controls of the vendors
Other interested parties Other banks considering using the vendors,
investors in the bank

3
Relationships
External Audit

Core
Processor
CPA

Service Organization
User Auditor
Bank

Internal Audit, Regulators User Entity

Off-site Service Auditor
Data
Storage
Vendor
Service Organization
User Auditors Prospective
customers

Other Interested Parties

4
Service Organization Reports (SOC Reports)
The big picture:

SAS SSAE
is now reported as SOC 1
No. 70 No. 16

Reports on controls at a SOC 2

service organization
relevant to security,
to be reported as
availability, processing and/or
integrity, confidentiality,
or privacy
SOC 3

Effective for reporting periods ending on or after June 15, 2011 5

What is changing?
Three new Service Organization Control reporting options:
SOC 1
Engagement Standard ISAE 3402, SSAE No. 16,
CSAE 3416
Subject Matter Used when service auditors
report on internal controls
over financial reporting of
service organizations
Intended Users User Entity management,
auditors of the User Entity
financial statements (e.g.
external auditors), and
management of the service
organization
SOC 2
AT section 101, AICPA guide
Reporting on Controls at a
service Organization
Relevant to Security,
Availability, Processing,
Integrity, Confidentiality, or
Privacy
Used when service auditors
report on subject matter other
than financial reporting
User Entity management,
internal audit, regulators
SOC 3
AT section 101, AICPA
Technical Practice Aid Trust
Service Principles Criteria
and Illustrations
Used when service auditors
report on subject matter other
than financial reporting, but
does not contain a description
of the auditors test and
results
Freely distributable to any
user who wants assurance on
controls at the service
organization (e.g. prospective
customers of the service
organization, investors, etc)
Why the new reporting options?
SAS No. 70 was always intended to be a report on an entities internal controls over
financial reporting
It is sometimes incorrectly used as a report on an entities operation controls (e.g. privacy,
integrity, etc.) not related to financial reporting
Internal audit has contributed to the problem by incorrectly requesting SAS No.70 for
non-financial reporting based control audits
Regulatory pressure? GLBA + Vendor Management = Ask for the SAS 70
SAS No. 70 is primarily an auditor-to-auditor communication
It is sometimes used incorrectly as a marketing tool by the service organization (we are
SAS 70 Certified)
SAS No. 70 has an inherent weakness in that the service organization defines the
scope of the controls evaluated
This potentially leads to very acute information security issues for the user organization
if it is used for non-financial reporting
Align with international standards
Align with SOX (management assertions) 7
Service Organization Report 1 (SOC 1)
The big picture:

SAS SSAE
is now reported as SOC 1
No. 70 No. 16

8
What is changing?
The International Auditing and Assurance Standards Board (IAASB) and
the Auditing Standards Board (ASB) of the American Institute of
Certified Public Accountants (AICPA) have approved new standards for
reporting on controls at a service organization
Statement on Auditing Standard No. 70 (SAS 70) will be replaced with two
standards:
A service auditors standard, International Standard for Attest Engagements No. 3402
(ISAE 3402), Assurance Reports on Controls at Service Organizations which will guide
service organization auditors in when conducting examinations
A user auditors standard, International Standard on Auditing No. 402 (ISA 402), Audit
Considerations Relating to an Entity Using a Service Organization that will guide user
auditors when assessing internal controls of a service organization

9
What is changing?
The ASB has adopted new domestic standards
Statement on Standards for Attest Engagements No. 16 (SSAE 16), Reporting
on Controls at a Service Organization.
SAS ED: Audit Considerations Relating to an Entity Using a Service
Organization
Expected to be final in December 2011

10
Whats new in SSAE No. 16?
SSAE No. 16 is an attestation standard
The service auditor is reporting on the service organizations description of its
systems and controls; not reporting on financial statements
Aligns the standard with the actual work being performed
Written assertion by management
The management of the service provider will be required to present a written
assertion covering the entire specified period about whether their description
Fairly presents the system that was designed and implemented
The controls were suitably designed to achieve the control objectives
The controls operated effectively
The management of the service provider must have a reasonable basis to
support the assertion
Risk Assessment
Monitoring
11
Whats new in SSAE No. 16?
Cant use evidence of satisfactory operation of controls in prior periods as a
basis for reducing the testing in the current period
The service auditor is required to identify and describe any tests of controls
performed by internal audit and the service auditors process with respect to
that work
In a type 2 engagement, the service auditors opinion covers the period. In
a SAS No. 70, the opinion is as of a specified date
The materiality loophole has been closed
The concept of materiality is not applied when disclosing, in the description of the tests
of controls, the results of those tests when deviations have been identified
SSAE No. 16 effectively states that service auditors will no longer be permitted to
hypothesize about what may, or may not, be relevant to user entities and user auditors

12
Whats the same in SSAE No. 16?
Report is a limited in its distribution. The report is not intended and
should not be distributed to other organizations including prospective
clients or investors
Service auditors tests and results included in report
Sample sizes disclosed only when deviations are identified
User Control Considerations will still be included in the report

13
Whats the same in SSAE No. 16?
Two types of reports: Type 1 and Type 2
Type 1
A report on the fairness of the presentation of managements description of the
service organizations system and the suitability of the design of the controls to
achieve the related control objectives included in the description as of a specified
date
Type 2
Same as type 1 report but also includes 1) the services auditors opinion on the
operating effectiveness of the controls and 2) a description of the service auditors
tests of the operating effectiveness and the results of those tests
The difference is the opinion now covers the period

14
Management Assertion
What value does it add?
Adds accountability at the service organization
The management of the service organization cant hide behind the service auditors
report
Adds transparency to the system in question
How many times have you read a SAS 70 and still had no idea what the system did?
Gives additional comfort to the user entity that senior management at the
service organization is involved
What does it not do?
It does not shift responsibility to the service organization
User entities are ultimately responsible for the systems they use, whether they are
deployed and managed in-house or outsourced
It should not be considered a vehicle that transfers risk

15
Management Assertion
The intended audience XYZ Service Organization's Assertion
is still restricted
We have prepared the description of XYZ Service Organization's [type or name of] system (description) for user entities of
the system during some or all of the period [date] to [date] and their user auditors who have a sufficient understanding
to consider it, along with other information, including information about controls implemented by user entities of the system
SOC 1 is about financial themselves, when assessing the risks of material misstatements of user entities' financial statements. We confirm, to the
reporting best of our knowledge and belief, that

a.the description fairly presents the [type or name of] system made available to user entities of the system during some or all
of the period [date] to [date] for processing their transactions [or identification of the function performed by the system].
The assertion covers the The criteria we used in making this assertion were that the description
period (type 2)
i. presents how the system made available to user entities of the system was designed and implemented to process
relevant transactions, including

1) the classes of transactions processed.

2) the procedures, within both automated and manual systems, by which those transactions are initiated,
authorized, recorded, processed, corrected as necessary, and transferred to the reports presented to
user entities of the system.
3) the related accounting records, supporting information, and specific accounts that are used to initiate,
authorize, record, process, and report transactions; this includes the correction of incorrect information
and how information is transferred to the reports presented to user entities of the system.
4) how the system captures and addresses significant events and conditions, other than transactions.
5) the process used to prepare reports or other information provided to user entities' of the system.
Risk assessment and 6) specified control objectives and controls designed to achieve those objectives.
monitoring form the 7) other aspects of our control environment, risk assessment process, information and communication
reasonable basis systems (including the related business processes), control activities, and monitoring controls that are
relevant to processing and reporting transactions of user entities of the system.
Management Assertion
It is important to realize that the
report will be used by many
different user entities, subject to
differing regulatory
requirements, and will therefore ii. does not omit or distort information relevant to the scope of the [type or name of] system, while acknowledging
focus on common controls that the description is prepared to meet the common needs of a broad range of user entities of the system
applicable to all. and the independent auditors of those user entities, and may not, therefore, include every aspect of the [type or
name of] system that each individual user entity of the system and its auditor may consider important in its own
particular environment.
It is the user entitys
responsibility to understand
a.the description includes relevant details of changes to the service organization's system during the period covered by the
additional controls it might
description when the description covers a period of time.
require
b.the controls related to the control objectives stated in the description were suitably designed and operated effectively
Change in the system is throughout the period [date] to [date] to achieve those control objectives. The criteria we used in making this assertion were
okay so long as it is that
documented and the
control objectives hold i. the risks that threaten the achievement of the control objectives stated in the description have been
identified by the service organization;
The assertion covers the
period ii. the controls identified in the description would, if operating as described, provide reasonable assurance that
those risks would not prevent the control objectives stated in the description from being achieved; and

The risk assessment iii. the controls were consistently applied as designed, including whether manual controls were applied by
individuals who have the appropriate competence and authority.
What to look for in an SOC 1 type 2 report
Independent Service Auditor's Report
Scope
We have examined XYZ Service Organization's description of its [type or name of] system for processing user entities'
transactions [or identification of the function performed by the system] throughout the period [date] to [date] and the
suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the
Managements assertion description.

Service organization's responsibilities

It includes a statement
On page [X] of the description, XYZ Service Organization has provided an assertion about the fairness of the
of risk assessment it is
presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the
unlikely an actual risk
related control objectives stated in the description. XYZ Service Organization is responsible for preparing the description
assessment will be
and for the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion;
included in the report
providing the services covered by the description; specifying the control objectives and stating them in the description;
but we can dream
identifying the risks that threaten the achievement of the control objectives; selecting the criteria; and designing,
implementing, and documenting controls to achieve the related control objectives stated in the description.

Service auditor's responsibilities

Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the
The service auditor must design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on
also opine on the our examination. We conducted our examination in accordance with attestation standards established by the American
suitability of the design Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain
over the period reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably
designed and operating effectively to achieve the related control objectives stated in the description throughout the period
[date] to [date].
What to look for in an SOC 1 type 2 report
Inherent limitations
Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in
processing or reporting transactions [or identification of the function performed by the system]. Also, the projection to the
future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design
or operating effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a
service organization may become inadequate or fail.

Opinion
The opinion covers a In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion on page [X],
period whereas a SAS a.The description fairly presents the [type or name of] system that was designed and implemented throughout the period
70 opinion is as of a [date] to [date].
date b.the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance
that the control objectives would be achieved if the controls operated effectively throughout the period [date] to [date].
c.the controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the
description were achieved, operated effectively throughout the period [date] to [date].
Type 2: the controls
operated effectively Description of tests of controls
The specific controls tested and the nature, timing, and results of those tests are listed on pages YYZZ.

Restricted use
This report, including the description of tests of controls and results thereof on pages YYZZ, is intended solely for the
This is still a restricted information and use of XYZ Service Organization, user entities of XYZ Service Organization's [type or name of] system
report during some or all of the period [date] to [date], and the independent auditors of such user entities, who have a sufficient
understanding to consider it, along with other information including information about controls implemented by user entities
themselves, when assessing the risks of material misstatements of user entities' financial statements. This report is not
intended to be and should not be used by anyone other than these specified parties.
SOC 1 Stakeholders
External Audit

Core
Processor
CPA

Service Organization
User Auditor
Bank

Internal Audit, Regulators User Entity

Off-site Service Auditor
Data
Storage
Vendor
Service Organization
User Auditors Prospective
customers

Other Interested Parties

20
Service Organization Report 2 (SOC 2)
The big picture:

Reports on controls at a
service organization
relevant to security,
availability, processing SOC 2
integrity, confidentiality,
or privacy

21
Service Organization Control Report 2 (SOC 2)
Focused on Trust Services Principles
Security
Availability
Processing Integrity
Confidentiality
Privacy
Performed under AT Section 101
The soon to be released AICPA guide Reporting on Controls at a service Organization
Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy is an
application of AT section 101
Type 1
Type 2
Trust Service Principles add consistency to the reviews so user entities can evaluate
different vendors using common criteria

22
Why consider an SOC 2 report?
Meet regulatory compliance needs of user entities
GLBA, HIPAA
Remove the need for user entity auditing rights
They can potentially disrupt operations
They can potentially compromise security
They are expensive to support
Answer questions before they are asked
Questions from user entities will generally align with the trust service
principles
For example, questions related to a cloud based storage service will likely
revolve around security and availability

23
SOC 2 Stakeholders
External Audit

Core
Processor
CPA

Service Organization
User Auditor
Bank

Internal Audit, Regulators User Entity

Off-site Service Auditor
Data
Storage
Vendor
Service Organization
User Auditors Prospective
customers

Other Interested Parties

24
Service Organization Control Report 3 (SOC 3)
Like SOC 2, focused on Trust Services Principles
Security
Availability
Processing Integrity
Confidentiality
Privacy
However, does not include a description of tests of controls or the results
It does include a description of the system but is less detailed than an SOC 1 or
SOC 2 report and the description is not covered by the service auditors report
SysTrust
In addition to a report, the results of an SOC 3 engagement can be delivered in the form
of a seal for display on the service organizations website
The report is not restricted and freely distributable

25
Why consider an SOC 3 report?
Marketing to current and prospective customers or any other interested
party that does not need detailed reporting on controls

26
SOC 3 Stakeholders
External Audit

Core
Processor
CPA

Service Organization
User Auditor
Bank

Internal Audit, Regulators User Entity

Off-site Service Auditor
Data
Storage
Vendor
Service Organization
User Auditors Prospective
customers

Other Interested Parties

27
What reporting option should I choose?

If Then choose
your customers need the report to comply
with SOX, FDICIA, or similar SOC 1
regulation
you offer services that can potentially
impact the financial reporting obligations SOC 1
of your customers
you offer services not related to financial
reporting that can be considered critical to SOC 2
your customers operations
you offer services not related to financial
reporting that can be considered critical to
SOC 2 & SOC 3
your customers operations and you want
to market them as such

28
The impact on external, internal, and regulatory audits?
Can now more effectively evaluate vendors (both selection and management)
The description and management assertion add context to the controls
In SOC 2 and SOC 3 reports, trust service principles define the control objectives
Reports are standardized you can compare multiple vendors using common criteria!
Be aware, in an SOC 1 report the vendor, not the auditor, still specifies the control
objectives
No exceptions now means no exceptions not, no exceptions in the tests the
service auditor deemed relevant
Remember that the responsibility still remains with the user organization
Existing vendor management policies can probably remain the same but consider
enhancing the language to reflect a review of the description and assertion
The report opinion now covers the period so make sure the coverage is contiguous
between reports
You still must pay special attention to the User Control Considerations
29
How will the changes impact information security?
Information is now more visible and easier to understand improving the
process of due diligence and the practice of due care
Service organizations that did not deal with financial reporting were not
required to undergo SAS No. 70 reviews
With the introduction of the new reporting options:
Market pressure will likely result in the adoption of SOC 2 and SOC 3 reports
in regulated industries
Non-financial reporting vendors to undergo reviews commensurate with those
organizations that are required to have SOC 1 reviews performed
The new scrutiny should generally improve information security

30
How will the changes impact new business?
The universe of potential clients for service audit firms increases
Many service organizations that are not subject to SOC 1 are now potential
customers for SOC 2 and SOC 3
SOC 2 + SOC 3 = Billable Hours
Most applicable to regulated industries (GLBA, HIPAA, etc.)
Regulators and Internal Audit will contribute to the demand
Technology is not going away and security is just starting to become something
service organizations care about
As security needs increase marketing pressure will likely contribute to the adoption
of SOC 2 and SOC 3

31
A Practical Example
The CPA delivers an
SOC 1 SOC 1 (type 2) report to
External Audit the organization that
needs a report on internal
Core controls over financial
reporting
Processor
As part of its vendor CPA
management program the Recognizing they provide Service Organization
Bank
Userrequests the SOC 1
Auditor critical services to their
report from the core customers, the Bank
vendors engage
As part of the external
processor and the SOC 2 a CPA to attest to the adequacy
audit, the auditor
report from the data of their controls
requestsAudit,
Internal the SOC 1 (type
Regulators
storage vendor UsertoEntity
2!) from the Bank
Wishing market itself Off-site Service Auditor
to other Banks, the data Data
storage vendor displays Storage and SOC 2 (type 2) & 3
the SOC 3 seal on its
website
Vendor reports to the
organization that needs a
Service Organization
report on internal
User Auditors SOC 2 Prospective
controls over security,
As part of the internal customers
availability, processing
and regulatory audits, the
SOC 3 integrity, confidentiality,
auditors request the SOC or privacy
2 (type 2!) from the Bank
Other Interested Parties
32
References
(AICPA) Statement on Standards for Attestation Engagements (SSAE No. 16)
(AICPA) Trust Service Principles and Criteria
(AICPA) Service Organizations: New Reporting Options
(AICPA) Service Organizations: Applying SSAE No. 16, Reporting on Controls at
a Service Organization Guide (SOC 1)
(AICPA) Reporting on Controls at a Service Organization Relevant to Security,
Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)
(ISACA) New Service Auditor Standard: A User Entity Perspective
(AICPA Trust/Data Integrity Task Force) Understanding How Users Would Make
Use of a SOC 2 Report

33
 Questions

P&G Associates
Peter Viglucci
877-651-1700 or pviglucci@pgcpa.com