Archive

Archive for May, 2011

SOCs Rocks? or not……

May 6, 2011 2 comments

So, the AICPA has killed off a defacto brand, SAS 70, and created three new reporting standards, SOC 1, SOC 2, and SOC 3 to replace it.  If that sounds a bit like a Dr. Seuss book, you are in good company.   SOC stands for Service Organization Controls which is what these new reporting standards are supposed to address.

SOC 1 is the “new” SAS 70.  The official standard is SSAE 16, or “Statement on Standards for Attestation Engagements number 16” to be precise.  When the AICPA announced the demise of SAS 70, they simultaneously introduced SSAE 16 as its replacement.  So naturally, as a service organization who has had SAS 70 audits for years, and is already “SAS 70 certified”, you will ask your auditor for an SSAE 16 report for 2011, right?  Yes, you will.  And that is precisely why the new SOC reports will not accomplish what the AICPA wants them to.

The biggest problem with SAS 70 was that it has been misused and abused since Sarbanes-Oxley (the other SOX) became law.  It was never intended to be an audit of general IT controls for an unrestricted audience.  It was created by auditors for other auditors who were performing financial statement audits.  The guidance for SSAE 16 clearly states that a SOC 1 report is also intended for auditors performing financial statement audits.  But  the service organizations that have had SAS 70 reports are now asking their auditors for SSAE 16 reports because their customers are asking for SSAE 16 report because it is the “new SAS 70”.  Those customers don’t care that the report is intended for use in financial statement audits.  They just want the report so that when their auditors ask for the SSAE 16 report (which they inevitably will) it will be available.

SOC 2 and SOC 3 reports could have been the next big thing for companies seeking some kind of assurance over the IT general controls for their cloud and colocation service providers.  The reports are based on a standard set of control principles which makes it easy to know that a given service organization has all the right kinds of controls in place.  But because the AICPA did such a poor job of preparing everyone for the change and educating them on which report was best, everyone will just ask for SSAE 16 because it is the replacement for SAS 70.  The people in the trenches who are asking for these reports don’t care about whether it is appropriate or not.  They just want to be able to give the report to the auditors when they ask for it.

And by the way, the auditors asking for the report really don’t care either.  As long as they can check the box on their working papers that will soon say “SSAE 16”, it won’t matter if the service being provided has a financial statement impact to their client or not.  They are covered and that is all that matters.

Meanwhile we still don’t have a certification or a standardized audit to ensure that Cloud Provider A and Cloud Provider B have appropriate IT general controls in place.

Advertisements