On Compliance: The New Outsourcing Standard

Harvey L. Johnson, CPA
Hampton Roads, Virginia

Witt Mares Home > News & Events > On Compliance: The New Outsourcing Standard

On Compliance: The New Outsourcing Standard

Share via email

By Harvey L. Johnson, CPA, Manager
As Published in CU Management Magazine

 

What CUs need to know about SSAE 16 as SAS 70 goes away

Vendor management continues to be a focus for regulators since many credit unions are expanding their use of outsourced services. Such outsourcing arrangements offer credit unions numerous benefits, from cost containment to the opportunity to expand and improve the services they offer their members. But while outsourcing makes perfect sense on a number of operational levels, credit unions must still assume complete responsibility for the actions of their third-party providers.

The use of third-party service providers can increase a credit union’s operational, strategic, reputation and compliance risk. The regulatory guidance on this comes from the Federal Financial Institutions Examinations Council (see especially the chapter on risk management and Appendix B at this link). Based on this guidance, credit unions should be performing the following steps:

1. risk assessment,
2. due diligence and service provider selection,
3. contract analysis and negotiation, and
4. on-going monitoring of service providers (oversight).

Until now, credit unions have relied on a type of audit report provided by service providers called SAS 70, a data-driven, independent report on vendors’ internal controls, covering information security, availability, processing integrity and privacy. The SAS 70 report gives credit unions assurance that the service organization has adequate controls in place to ensure the accuracy and integrity of its data, transactions and information systems. This report is integral in the initial due diligence and selection of a vendor, as well as ongoing monitoring of the vendor.

Beginning June 15, 2011, the SAS 70 will go away, to be replaced by a new auditing standard, SSAE 16. Why the change?

In short, accounting and auditing standards are moving to one uniform set of consistent standards that apply globally (international standards). Until now, there has been a U.S. standard – the SAS 70 – and a global standard that was used essentially everywhere else. With business increasingly becoming international and the global economy no longer dominated by the United States, SSAE 16 represents a shift to align the U.S. and international auditing standards.

For credit unions, this means they must understand a number of changes in the accounting and auditing standards used for monitoring third-party providers – because one thing that hasn’t changed is that credit unions are still responsible for vendor management and ongoing monitoring of their third-party service providers.

Here’s a summary of the major changes and what credit unions need to know about the new standard:

  • Management’s written assertion about the effectiveness of internal controls. Under the new SSAE 16 standards, management of third-party providers will now be required to provide a written assertion about the effectiveness of internal controls. Auditors will have to test the assertion and determine whether it is fair and accurate. This will lead to better reporting and provide credit unions additional assurance related to service providers.
  • Changes to the periods covered. SAS 70 reports used to measure controls as of a specific date/point in time. Under the new standard, controls will be measured over a period of time rather than a single point in time. This change is designed to eliminate the issue of controls being ineffective throughout the year, but then being corrected at the end of the year – allowing vendors to have a “clean” opinion on internal controls despite having had control issues during the year.
  • Changes to common terminology. A number of definitions have also changed as a result of the shift to the new SSAE 16 standards. “Exceptions” will now be referred to as “deviations.” “Description of controls” is now “description of system,” which is meant to be more comprehensive and now includes procedures, people, software, data and infrastructure. These changes are relatively minor, but for credit unions familiar with the old terms, this is something to be aware of.
  • Changes in the reports offered. One of the major changes is the increase in the types of internal control reports that will be issued. Previously, there were two types of reports—both SAS 70, but a Type I and Type II report. Type I reports described the control environment, while Type II reports involved testing of the control environment, thus offering additional assurance to credit unions.

Under the new SSAE 16 standard, there will be what are referred to as “Service Organization Control” Reports. Further, there will be three types of SOC report (SOC 1, SOC 2 and SOC 3). For SOC 1 and SOC 2 reports, there will be Type I and Type II reports, increasing the total number of reports from two to five.

  • SOC 1 reports replace the traditional SAS 70 and will be used to evaluate internal controls over financial reporting.
  • SOC 2 reports will be used to evaluate such internal controls as security, availability, processing, integrity, confidentiality and privacy.
  • SOC 3 reports are an abbreviated version of SOC 2 reports that will not include testing tables.

Initially, requesting the correct report will be the biggest challenge. It will be tempting to request the SOC 1, since it most closely resembles the traditional SAS 70 report. However, for ongoing monitoring of vendors, credit unions will really need the SOC 2 (Type II) report. SOC 1 reports relate to controls over financial reporting, which are generally used by investors to gain confidence that financial statements issued by public companies are accurate and can be relied upon. While important, this doesn’t provide any assurance about the vendor’s actual processes (operations).

SOC 2 reports, on the other hand, are designed to be used by organizations like credit unions to gain confidence in the systems of a third-party provider. SOC 2 reports will focus on the vendor’s day-to-day operational controls (the actual services they are providing) and will be centered on controls for data security (confidentiality and privacy) and data availability, as well as processing integrity. This type of report will also help credit unions and others better understand the details of the third-party provider’s processing and controls, the tests performed by the service auditor, and the results of those tests.

SOC 3 reports, while similar to the SOC 2 reports, will not be as transparent and comprehensive as the SOC 2 reports.

The key for credit unions is ensuring they continue to perform their fiduciary responsibility when it comes to vendor due diligence. Failing to obtain the correct type of report from the service provider could lead to the credit union unknowingly relying on a vendor’s controls when they may not be effective, jeopardizing their members’ private data. This risk can easily be mitigated by understanding the new standard and how it will impact the reports credit unions need to obtain as part of their ongoing monitoring of critical vendors.

Harvey Johnson is an audit manager and is an active member of the Financial Institution Services Team at Witt Mares PLC, a regional accounting and consulting firm serving clients throughout the mid-Atlantic. Contact him at hjohnson@wittmares.com or visit www.wittmares.com.