SAS 70

Ask A-LIGN: Why is the SAS 70 audit still asked for? I thought it no longer existed?

Answer: Correct. The SAS 70 audit has been out of existence since June 15, 2011. Many organizations are still being asked for SAS 70, frankly, due to the fact of its nearly 20-year existence and lack of education surrounding the change of the standard. Here’s Why: Since SAS 70 has been around nearly 20 years, its terminology seems stuck in the written agreements of many organizations that have long-term contractual obligations. Transitioning SAS 70 out of audit terminology is going to take an effort from the profession, as well as, publicity of the profession to make sure that these organizations understand SSAE 16, its replacement of SAS 70, and what it brings to the table to align it more with an assertion based report rather than a direct reporting on the controls.

Read More

SOC 2 – Not your prior year SAS 70

After a 20 year reign as the service auditor’s report, the SAS 70 was retired this summer with much fanfare. After being used to communicate the design, implementation and operating effectiveness of controls at every type of service organization imaginable, the AICPA published new standards that better align the type of service organization and service provided to the report used to communicate the design, implementation and operating effectiveness of controls to the user of the report.

Read More

SAS 70 is gone??? Why can’t I get a SSAE 16?

In the past two weeks, we have been asked my multiple clients to explain to their customers that the SAS 70 audit standard was superseded as of June 15, 2011.  Our clients were faced with frustrated user organizations that were looking for their SAS 70 audit report.  We had to not only provide our literature and white papers outlining the audit standard has been superseded but provided information directly from the American Institute of CPAs (AICPA) to the same effect. It even got to the point where I told the user organization to call a national accounting firm in their city to confirm what we have said along with the AICPA.   This frustration from user organizations can be expected when the SAS 70 audit requirement lies in the hands of a contracting officer at the user organization.  The communication gap between the legal or vendor relations department and the accounting departments at an organization sometimes is wide and must be bridged.  When the exposure draft of SSAE 16 was released years ago, I recall preaching to clients that they should begin speaking with their customers regarding the change and update contracts with customers as well as vendors to reflect the eventual vanishing of SAS 70.  We continue to encourage clients as we move into September, which is typically “SSAE 16 busy season, “ that our clients should contact their customers and educate them regarding the change and utilize A-LIGN as a resource to provide additional literature where necessary to explain the new standard.

Read More

SSAE 16 REPLACING SAS 70

ADVANTAGE TO THE COLLECTIONS INDUSTRY – AGENCIES, ATTORNEYS, VENDORS, CREDITORS AND ASSET BUYERS The AICPA’s Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization was issued in April 2010.  As of June 15, 2011, the SSAE 16 effectively replaces the long standing SAS 70 as the U.S. standard for reporting on a service organization's internal controls. SSAE 16 is also referred to as Service Organization Control (SOC) Reporting 1.  The focus of SSAE 16 is on controls at a service organization likely to be relevant to user entities’ internal control over financial reporting.  The SAS 70 has been used as the de facto standard for the collections industry for close to 20 years now.  For service organizations that currently have a SAS 70 service examination (“SAS 70 audit”) performed, changes will be required to effectively report under the new SSAE 16 standard.

Read More