Outsourcing: SAS 70 Superseded for Service Provider Control Reporting By SSAE 16


Executive Summary

Prior to 2011, customers (user entities) who engaged third-party service providers (service organizations) to perform functions and/or processes that impacted the user entities’ internal control over financial reporting (ICFR) typically required Statement on Auditing Standards (SAS) No. 70 Type 2 reports1 from service organization auditors (service auditors) that could be relied upon by the user entities’ management and auditors (user auditors) in discharging management’s responsibilities under the Sarbanes-Oxley Act of 2002 (SOX) and assuring the effectiveness of the user entities’ ICFR. SAS 70 contained the requirements and guidance for both service auditors reporting on controls at service organizations and user auditors auditing the user entities’ financial statements. Statement on Standards for Attestation Engagements (SSAE) No. 162 now provides the requirements and guidance for service auditors in such contexts and to that extent supersedes SAS 70. Going forward, where the service organization’s services affect the user entity’s ICFR, user entities should require in their outsourcing services contracts that service organizations provide Service Organization Control (SOC) 1 Type 2 reports under SSAE 16 rather than SAS 70 Type 2 reports. Additionally, user entities will want to more carefully focus on the limitations of the SOC 1 Type 2 report which, as was also the case with the SAS 70 Type 2 report, addresses only financial reporting and does not address controls over other important matters such as the security, availability, processing integrity, confidentiality or privacy of the user entities’ information or operations handled by the service organizations’ system3 that do not relate to financial reporting. SOC 2 and SOC 3 reports4 (which will be described in a future Legal Alert) will address these elements of the service organizations’ system that do not impact the user entities’ ICFR.

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sutherland Asbill & Brennan LLP | Attorney Advertising

Written by:


Sutherland Asbill & Brennan LLP on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.