Correct. The SAS 70 audit has been out of existence since June 15, 2011. Many organizations are still being asked for SAS 70, frankly, due to the fact of its nearly 20-year existence and lack of education surrounding the change of the standard.
Since SAS 70 has been around nearly 20 years, its terminology seems stuck in the written agreements of many organizations that have long-term contractual obligations. Transitioning SAS 70 out of audit terminology is going to take an effort from the profession, as well as, publicity of the profession to make sure that these organizations understand SSAE 16, its replacement of SAS 70, and what it brings to the table to align it more with an assertion based report rather than a direct reporting on the controls.
There will also need to be more education within the legal profession, which is typically involved in the making of customer contracts. SAS 70 is remaining on their contractual checklists and now we need to make sure it’s transitioned to SSAE 16.
Hopefully over time SSAE 16 will be able to gain more prominence and organizations will begin to see it written into their contracts. It’s not going to be an easy transition, but hopefully with more education and publicity over the next 12 to 24 months organizations will begin to understand that when they renew their contracts and customer requirements on RFPs that they are to include SSAE 16 as the requirement when appropriate rather than SAS 70.
Have questions for our compliance professionals? Submit them via email to firstname.lastname@example.org.
Managing Partner of A-LIGN