Guest Opinion: Use Right Audit for Service Providers
The American Institute of Certified Public Accountants has introduced several reforms to its auditing standards and created another layer of confusion for credit unions that outsource to service providers.
The 19-year-old Statement on Auditing Standards 70 was replaced with the Statement on Standards for Attestation Engagements 16 with the primary change being attestation by service-provider management that audited controls are in place.
An SAS 70 is a good assessment within its purpose. But it does not address data security, and that’s its weakness.
When credit unions outsource, security controls of the service provider effectively become security controls of the credit union. Thus, a thorough assessment is essential. While SAS 70 and SSAE 16 do not assess data security, there are three auditing tools that do–shared assessments, SOC 2 and SOC 3.
An SOC 3 is a light version of SOC 2. The auditor provides only a summary report without detailed findings. Further, the SOC 3 has an associated seal the service provider may use in marketing materials affirming that an SOC 3 audit has been conducted.
So if–and only if–you are outsourcing to a service provider whose work entails financial reporting that posts to your general ledger, then you should obtain from that service provider an SAS 70 or an SSAE 16 audit.