In the past two weeks, we have been asked my multiple clients to explain to their customers that the SAS 70 audit standard was superseded as of June 15, 2011. Our clients were faced with frustrated user organizations that were looking for their SAS 70 audit report. We had to not only provide our literature and white papers outlining the audit standard has been superseded but provided information directly from the American Institute of CPAs (AICPA) to the same effect. It even got to the point where I told the user organization to call a national accounting firm in their city to confirm what we have said along with the AICPA. This frustration from user organizations can be expected when the SAS 70 audit requirement lies in the hands of a contracting officer at the user organization. The communication gap between the legal or vendor relations department and the accounting departments at an organization sometimes is wide and must be bridged. When the exposure draft of SSAE 16 was released years ago, I recall preaching to clients that they should begin speaking with their customers regarding the change and update contracts with customers as well as vendors to reflect the eventual vanishing of SAS 70. We continue to encourage clients as we move into September, which is typically “SSAE 16 busy season, “ that our clients should contact their customers and educate them regarding the change and utilize A-LIGN as a resource to provide additional literature where necessary to explain the new standard.
Even worse than the aforementioned story is the story of why SSAE 16 does not apply even though the service organization underwent a SAS 70 audit in the past. We recently issued a SOC 2 (AT 101) report for an organization that underwent a SAS 70 audit previously. Our client was the first line that had to be educated about the change and why they were not receiving a SSAE 16 since that seemed like the logical choice. The client understood they did not affect their customer’s internal control over financial reporting and that a SOC 2 or SOC 3 was an appropriate choice. Now though the fun started in explaining to their customer why a SOC 2 or SOC 3 was the correct reporting option. This took several back and forth discussions. Of course, our client felt heartache since they had just invested time and money to complete a SOC 2 and now there was a chance their clients would not accept the report. These two scenarios should be similar to Y2K where it is one time occurrence this year but service organizations should work with their clients now before being in a defensive reactionary mode in the future.