The American Institute of Certified Public Accountants has introduced several reforms to its auditing standards and created another layer of confusion for credit unions that outsource to service providers.
The 19-year-old Statement on Auditing Standards 70 was replaced with the Statement on Standards for Attestation Engagements 16 with the primary change being attestation by service-provider management that audited controls are in place.
The AICPA also introduced two additional standards and created an organization of the three called service organization controls. An SOC 1 is the new SSAE 16. SOC 2 and SOC 3 are new reports focusing on data security. Meanwhile, there already was in place an audit totally focused on data security: the shared assessments program.
So when do you use what?
The purpose of an SAS 70 has been to ensure that a credit union’s financial reporting is accurate when that information comes from third-party providers. An SAS 70 is an audit of reporting controls at such providers.
Say a credit union contracts with an investment firm for management of its portfolio. The investment firm provides reports on the portfolio’s value, and the value is then entered into the credit union’s general ledger. An SAS 70 is needed because an erroneous report by the investment firm would result in an erroneous financial statement by the credit union. An SAS 70 could affirm that controls at the investment firm are adequate to maintain reporting accuracy.
An SAS 70 is a good assessment within its purpose. But it does not address data security, and that’s its weakness.
When credit unions outsource, security controls of the service provider effectively become security controls of the credit union. Thus, a thorough assessment is essential. While SAS 70 and SSAE 16 do not assess data security, there are three auditing tools that do–shared assessments, SOC 2 and SOC 3.
Shared assessments focus on security and is embraced by the Credit Union Information Security Professionals Association as part of its vendor security assurance program.
Originally developed by a consortium of financial institutions, accounting firms and service providers, the idea was a standardized and objective assessment that would help outsourcers meet regulatory and risk-management requirements while reducing costs. In full form, Shared assessments use independent on-site assessment and detailed responses to 880 standardized questions evaluating security controls.
Let’s say a credit union chooses to outsource the generation of its customer statements. Each statement is a report of what the credit union’s records reflect. The service provider is merely printing and mailing the report for the credit union. Meanwhile, that customer data is extremely sensitive. So an SAS 70 is far from the ideal tool, and shared assessments are about as close as one can get.
One of the new audits of the AICPA, SOC 2 measures essentially the same security controls as shared assessments, albeit over a potentially longer timeframe (and corresponding higher cost). Remember, the shared assessments process is standardized, and standardization results in greater efficiency.
An SOC 3 is a light version of SOC 2. The auditor provides only a summary report without detailed findings. Further, the SOC 3 has an associated seal the service provider may use in marketing materials affirming that an SOC 3 audit has been conducted.
So if–and only if–you are outsourcing to a service provider whose work entails financial reporting that posts to your general ledger, then you should obtain from that service provider an SAS 70 or an SSAE 16 audit.
If you are outsourcing data for routine processing, and that data contains private information, you should obtain an audit of the service provider’s data security controls. For a detailed audit, a shared assessments program or the new SOC 2 will provide it. If you only need summary information, the new SOC 3 should be adequate.
In conforming to specifics of any security audit, service providers strengthen their controls as weaknesses become apparent. The result is that providers who undergo a security audit are likely to have controls as or more stringent than the very credit unions who are outsourcing data to them.
Chris Cronin is president of SourceOne Output Technologies.
Contact 501-374-7676 or firstname.lastname@example.org