Long live SSAE 16 and ISAE 3402!
One of the most misunderstood things about SAS 70 was the fact that it was technically only a valid auditing standard in the United States, even though SAS 70 reports are done for non-US based service providers and are relied upon by businesses and auditors worldwide.
However, on or before June 15, 2011, that will change. As of that date, Statement on Standards for Attestation Engagements (SSAE) 16 and International Standards on Attestation Engagements (ISAE) 3402 will replace the venerable SAS 70.
SSAE 16 is issued by the American Institute of Certified Public Accountants (AICPA) and ISAE 3402 is issued by the International Federation of Accountants (IFAC).
The good news is that, for the most part, SSAE 16 and ISAE 3402 are essentially the same. There are a few differences that are important to financial auditors and lawyers, but should not have an impact on people relying on these reports for PCI compliance or other purposes.
What is important is that now, no matter where you are in the world; you can obtain an independent assessment of a service provider’s controls.
The other piece of good news is that an SSAE 16 report, under AICPA Service Organization Control (SOC) 2 and SOC 3, can include controls relevant to security, availability, processing integrity, confidentiality and/or privacy.
Under AICPA SOC 3, which covers trust services such as those defined by ISO, ITIL, PCI, HIPAA or GLBA, controls from these requirements can also be covered in an SSAE 16 report.
The difference between SOC 2 and SOC 3 reports is that a SOC 2 report’s distribution is restricted to only those organizations already contracted with the service organization whereas a SOC 3 report does not have restricted distribution.
According to what we have heard from the AICPA, the SOC 2 and SOC 3 reports have to be separate reports and guidance on how these reports need to be structured is expected by the end of 2010.
So please do not bug your friendly CPA until after the first of 2011 regarding the new reporting standards.
Unfortunately, financial auditors outside of the United States are, for the most part, unfamiliar with conducting such an assessment of controls. As a result, they will need time to get up to speed on such attestation engagements.
So those of you outside of the United States need to be patient while the auditors in your country get up to speed.
The bottom line is that we are expecting to see a lot of SOC 3 type reports that will cover ITIL, HIPAA and PCI requirements as part of their testing.
So start asking your service providers now for an SSAE 16 or ISAE 3402 report now so that your service provider can start asking their auditor to prepare such a report.
Cross-posted from PCI Guru