My colleague recently blogged about the challenges facing service providers when responding to requests for their SAS 70 audit report or “certification.” This request is too often based on a procurement agent’s mistaken assumption that SAS 70 audits are a “one-size-fits-all” way to fulfill due diligence requirements when contracting with technology service providers. This misguided approach is a source of frustration for service providers and CPA firms that provide attestation and review services to technology companies. The requests for a SAS 70 report, commonly surfacing in RFPs, have grown far beyond the limited scope and purpose for which the reports were intended. 
Since SAS 70 will soon be replaced by SSAE 16 and ISAE 3402, it’s a good time to review why a third party service provider and their customer might request an attestation report and how to decide which type of report is appropriate.
The AICPA recently issued FAQs with direction to service providers, their customers and, most importantly, the auditors, on alternatives now available to provide reporting that meets both internal management needs and the reporting needs of users and prospective users. Within the FAQs, the AICPA makes it clear that SSAE 16 or Reporting on Controls at a Service Organization, is an attestation standard for services which impact the financial reporting controls of user organizations.
That said, the AICPA recognizes that a service organization’s services affect not only financial statement risks but also the operational and compliance related risks of their users. Examples may include:
- A service organization management may engage a CPA to report on the effectiveness of its controls over privacy utilized Generally Accepted Privacy Principles (GAPP).
- An entity may be required to demonstrate its compliance with a specific regulation, such as the DEA’s regulations for “Electronic Prescriptions of Controlled Substances.”
- A service provider may wish to show adherence to and alignment with industry standards such as the framework developed by the Cloud Security Alliance
CPA firms are armed with a broad set of alternatives for responding to such needs. They are contained in the AICPA’s Codification of Statements on Standards for Attestation Engagements. Within these standards, AT Section 101 – “Attest Engagement” sets forth the framework under which all attestation engagements must operate. The following types of attestation engagements that should be considered when reporting on non-ICFR (internal controls over financial reporting) topics:
The AICPA’s SysTrust and WebTrust are two of the better known examples of attestation engagements developed in accordance with AT Section 101. SysTrust is a family of assurance services that are applied to various aspects of a B2B systems, while WebTrust is a family of assurance services that are applied to e-commerce based systems. Both result in attestations and seals that may be displayed on a client’s website following a successfully completed assessment.
AT Section 201 – Agreed Upon Procedures Engagements – This type of engagement is performed when a client and one or more third parties want a CPA firm to independently evaluate a topic and issue a report of finding based on specific procedures performed by the CPA firm. The procedures to be performed by the CPA firm are typically agreed to in advance. The resulting report describes these procedures and the results of those procedures. A client might use an agreed upon procedures engagement when a specific end customer wants evidence regarding an instance of an application hosted only for that customer.
AT Section 601 – Compliance Attestation – This type of engagement provides third party attestation regarding an entity’s compliance with requirements of specified laws, regulations, rules, contracts, or grants; and/or, the effectiveness of an entity’s internal control over compliance with the specified requirements. This may include the DEA regulations stated above but could also apply to the recent amendment to SEC Rule 206(4)-2 of the Investment Advisers Act of 1940, which refers to custody over client assets by a registered investment advisor.
When all else fails, AT Section 101 serves as the “catch all” assessment for topics that aren’t candidates for a service audit or any of the examinations described above. Through AT Section 101, an organization can obtain an assessment that is very similar in form and function to an SSAE 16 assessment, but for non-ICFR topics. That makes it a great mechanism for performing assessments of technology topics, including cloud computing and virtualized environments.
The AICPA is planning to publish a guide titled, Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, that addresses reporting on a service provider’s controls over subject matter other than financial reporting. This guide is expected to be available by early 2011 and is to reference work being done by the Cloud Security Alliance other related groups.
Most importantly, I strongly advise all service organizations to work collaboratively with their customers. In the end, all attestations for the service providers emanate from the audit and compliance needs of their customers!
