Pub. 2 2011 Issue 2

www.wvbankers.org 20 SAS 70 Replaced by SOC 1 Similarities and Changes to the SAS 70 Report By Chris Joseph, CPA, CISA O ver the years, banks and other organizations have outsourced the processing of certain critical account- ing functions to Service Organizations . Many of you are familiar with the SAS 70 report. Since 1992, the SAS 70 report has been used on audits for organizations that use a service organization to process a significant part of their accounting transactions. Examples of service orga- nizations include the utilization of an organization to process customer deposit and loan transactions (core processing solution), internet banking services and trust services. When an organization outsources an important part of their accounting function, the service orga- nization’s control risks become the risks of those using the service organization – weaknesses at the service organization could raise the risk at the User Entities (i.e. a bank). In order to obtain an under- standing of the internal controls over the financial reporting of a bank, the user en- tity’s auditor ( User Auditor ) would have to gain an understanding of the controls at the service organization. The SAS 70 report allowed user auditors to gain an understanding of the controls over service organizations without having to conduct the examination directly on the service organization. This was accomplished by having the SAS 70 engagement being conducted by one Service Auditor who issued the SAS 70 report. Changes since the Inception of SAS 70 Reports. Several changes have occurred over the past nineteen years that have ne- cessitated changes to reports on controls at service organizations. These changes include the following: • Increased outsourcing of processes and business functions that were historically conducted by an organization. Many organizations are outsourcing other functions such as management of their network, firewall and other security controls, imaging and branch capture, utilization of shared resources through cloud computing, etc. • Regulatory changes resulting from the Sarbanes-Oxley Act, GLBA, HIPAA, HITECH and others have changed the landscape as it relates to the protection of customer and consumer data and privacy of the information being provided to organizations. • Technological changes and advances have presented more opportunities to service your customers but have also introduced additional risks. • Recent internal control breakdowns in security, privacy breaches and fraud. • As the economy becomes more global, a need for an international standard was identified – not all countries had their own standard. In many cases, the SAS 70 report was being erroneously relied upon to address controls that it was not ever designed to test. Keep in mind that the SAS 70 was structured only to address the internal controls over financial reporting. New Reporting Options. In response to the changing environment, the AICPA has established three Service Organization Control (SOC) reporting options called SOC 1, SOC 2 and SOC 3 reports. Two of these reporting options (SOC 1 and SOC 2) are discussed below in more detail. A SOC 1 engagement is performed in accordance with SSAE 16. By definition