Outsourcing: SAS 70 Superseded for Service Provider Control Reporting By SSAE 16


Executive Summary

Prior to 2011, customers (user entities) who engaged third-party service providers (service organizations) to perform functions and/or processes that impacted the user entities’ internal control over financial reporting (ICFR) typically required Statement on Auditing Standards (SAS) No. 70 Type 2 reports1 from service organization auditors (service auditors) that could be relied upon by the user entities’ management and auditors (user auditors) in discharging management’s responsibilities under the Sarbanes-Oxley Act of 2002 (SOX) and assuring the effectiveness of the user entities’ ICFR. SAS 70 contained the requirements and guidance for both service auditors reporting on controls at service organizations and user auditors auditing the user entities’ financial statements. Statement on Standards for Attestation Engagements (SSAE) No. 162 now provides the requirements and guidance for service auditors in such contexts and to that extent supersedes SAS 70. Going forward, where the service organization’s services affect the user entity’s ICFR, user entities should require in their outsourcing services contracts that service organizations provide Service Organization Control (SOC) 1 Type 2 reports under SSAE 16 rather than SAS 70 Type 2 reports. Additionally, user entities will want to more carefully focus on the limitations of the SOC 1 Type 2 report which, as was also the case with the SAS 70 Type 2 report, addresses only financial reporting and does not address controls over other important matters such as the security, availability, processing integrity, confidentiality or privacy of the user entities’ information or operations handled by the service organizations’ system3 that do not relate to financial reporting. SOC 2 and SOC 3 reports4 (which will be described in a future Legal Alert) will address these elements of the service organizations’ system that do not impact the user entities’ ICFR.

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sutherland Asbill & Brennan LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.