Home > SAS 70, SOC 1, SOC 2, SOC Audits, SSAE 16, Uncategorized > Division Among the Ranks

Division Among the Ranks

There is no shortage of strong opinions regarding the state of third party attestation today. On one side we have the proponents of the new SOC 2 standard. On the other, we have those that want to stick with the tried and not-so-true legacy of SAS 70, aka SSAE 16/SOC 1. The real conflict appears to be around how to determine what ICFR is.

ICFR is the acronym for Internal Control over Financial Reporting. Why is this understanding so important? Because it helps determine the most appropriate report for a given service organization and what should be included in the report. At the root of the disagreement is whether or not it is appropriate to include certain general technology controls (e.g. physical security, redundant network and power feeds, etc.) in a SOC 1 (SSAE 16) report.

There is no question about the purpose and applicability of SSAE 16. The preface to the guidance from the AICPA is crystal clear: “Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801), establishes the requirements and guidance for reporting on controls at a service organization relevant to user entities’ internal control over financial reporting. The controls addressed in SSAE No. 16 are those that a service organization implements to prevent, or detect and correct, errors or omissions in the information it provides to user entities.”

Based on that guidance, it would appear that if a control does not prevent, detect and correct errors or omissions in the information that a service organization provides to its customers, then it does not belong in a SSAE 16 report. A more fundamental question can be derived from the guidance. That is; what information does the service organization provide and is it relevant to ICFR?

So perhaps the question is not so much whether a particular control itself is or is not related to ICFR. Rather, the question is, does the control prevent, detect and correct errors or omissions in the information provided? If we examine the information provided by a service organization it should help us determine whether the controls are relevant to ICFR.

I have recently seen some blog postings where certain firms are being “called out” for including what the author believes are clearly non-ICFR controls in SSAE 16 reports.  The intent of the postings are to point out that the firm producing the report is somehow violating the SSAE 16 standard by including non-ICFR controls in the report. But it seems to me that the author is himself violating the standard by making portions of a restricted report ( one intended only for management and the service organization’s customers) publicly available.

Healthy disagreement about how to interpret standards, laws, and rules helps improve those same standards, laws, and rules. That is why we have multiple layers of courts in our country. Discussions among professionals in an appropriate forum in order to provide additional clarity over the interpretation of a very complex, very technical standard like AT 801 (the real standard behind the SOC 1 report) will advance the profession.

Copying entire sections of restricted reports in an attempt to support an argument about what controls should or should not have been included will not advance the profession. It will only add more confusion to an already confused customer base and allow some other reporting mechanism to replace SOC reports as the market leading third-party attestation. That would be bad for our profession and bad for our customer base.

Let’s focus on giving our customers a reporting solution that works for them and stop bickering among ourselves as to who is right and who is wrong.

  1. September 11, 2012 at 9:28 AM

    Good post David. Remember why there are restricted use rules in the first place. It is to prevent unintended audiences from receiving the report and placing reliance on it. Audiences that perhaps do not understand enough about internal controls and the inherent risks associated with third party attestations to detect fraud etc. In the case of my blog posts (http://bit.ly/RCtgdP), the names of the service organizations have been redacted, so who is going to be able to place reliance on the report?

    I think there needs to be a light turned on in this industry to expose the rampant abuse, and I’m just flicking that switch right now.

  2. JB
    September 13, 2012 at 4:20 AM

    I agree that posting excerpts of reports wreaks of unprofessionalism. This is especially true when the reports are obtained for valid business reasons and then misappropriated. Imagine the liability risk to an employer resulting from an employee publishing material marked confidential or copy written and possibly subject to a EULA. It doesn’t seem very intelligent or ethical. Cease and desist letter coming soon.


    “It is to prevent unintended audiences from receiving the report” – LOL. It must not be an ironclad method.

  3. September 13, 2012 at 8:30 AM

    The reason everyone is upset is that I am speaking the truth, and it is embarrassing to the parties involved. There is no defense for the mess that reports like these have created in the market in terms of creating the illusion of security and availability assurance. Rather than fix the problem, people are lashing out at the messenger.

  4. September 13, 2012 at 11:17 AM

    I removed the post because I can see that people are getting angry at me for speaking out about the problem that we all know exists. When words like “wreaks of unprofessionalism”, and “Cease and desist letter coming soon…” are used, it’s time to just drop it. How discouraging that rather than addressing me directly and challenging my arguments, you would choose the path of intimidation and bullying. No one likes a bully, and it’s time we stand up to them. I will point everyone to my whitepaper on the DoRS Analysis approach to distinguishing between ICFR and non-ICFR controls and let everyone decide for themselves if the reports they are receiving are appropriate or not.


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: