SAS 70 Audits for Service Providers Changes to Accommodate Cloud Computing

The long-standing supplier risk certification form is being replaced by SSAE 16, which takes more IT compliance and security controls into consideration in the age of the cloud

Bank Technology News | May, 2011

June 15 will be one of the biggest days in years for institutional risk managers in charge of ensuring the security and compliance of service providers, as the SAS 70 report gives way to a new broader report called SSAE 16.

SSAE 16 reports are far more complex than SAS 70 reports, and will require outsource firms to describe in detail how they will effectively manage internal, external and systemic threats to their IT integrity and GRC requirements. The new report will also contain an additional attached report from an external auditor on the effectiveness of the supplier’s controls that will be submitted to institutions as part of the response to an RFP.

The changes are designed in part to address the complexity of cloud computing, which raises risks such as the tech and security competence of the cloud provider and the cloud firm’s own external suppliers. Other new outsourcing agreements, which in the banking industry are increasingly including project management and other oversight duties in addition to software programming and other basic IT services, add more elements to IT risk. This makes the institutional supply chain harder to manage, resulting in a gradual creep of SAS 70 beyond its original intent.

“The banking community has historically used SAS 70 for purposes related to understanding controls related to core banking applications, such as transaction and account processing activities that have a direct linkage to SAS 70’s defined purpose related to internal control over financial reporting,” says Dan Schroeder, a partner with Habif, Arogeti & Wynne, a Georgia-based accounting firm. “Over time, many banks have mistakenly come to view SAS 70 as a form of compliance or certification for virtually any outsourced service.”

Schroeder says that statements and assertions made in some cases by suppliers that SAS 70 is a certification and compliance stamp are incorrect and create a false sense of assurance.
“As the array of services provided on an outsourced basis has increased, especially fueled by cloud growth, so has the misunderstanding and potential misuse of SAS 70 reporting,” Schroeder says, adding examples of this are providers of infrastructure such as data and network connectivity, circuits, and security monitoring, providers of platforms to trade securities (e.g., self-directed investing), providers of maintenance and monitoring services around bank infrastructure, data backup and recovery system and information security.

SAS 70 was developed in the early 1990s to help institutions such as banks and healthcare providers assess the risk controls of billers and other suppliers. The reports have become a widely accepted stamp of trust that a vendor is safely protecting sensitive data. The new SSAE 16 report adds more information on the compliance and operations of a tech firm, requiring more due diligence on the part of outsourcers. SSAE 16 reports detail a larger swath of a supplier’s business model and are more tech-heavy than SAS 70.

One of the challenges for banks under the new form will be to actually streamline overall due diligence of tech outsourcers and other suppliers, since the SSAE 16 form will include more information that should answer risk management questions that a bank may have before hiring an outsource firm.

“Banks are notorious for requesting their service providers complete extensive questionnaires as part of due diligence and periodically after services are being provided,” Schroeder says. “Services organizations consider these questionnaires to be a hardship as they are very time consuming to complete, and they vary from bank to bank.”