mdf-and-co-op-audit

MDF and Co-Op Audit – What’s the standard SOC, SAS 70, SSAE 16 ?

  • November 17, 2016

MDF and Co-Op audit what’s the standard SOC, SAS 70, SSAE 16?

What certification do I need my MDF and Co-Op service provider to have, and what’s the difference between SOC, SAS 70, SSAE 16? That question might not be exactly how every customer or prospect phrases it, but it seems to be what everyone wants to know. Over the last several years there have been changes in MDF and Co-Op audit standards, and customers and vendors are struggling to keep up. Hopefully, we can bring a little clarity to this situation.

SAS 70 was the MDF and Co-Op audit standard to look for in service providers prior to June 15, 2011. At that time the accounting profession adopted a new reporting framework called Service Organization Control (SOC). Before diving too deep into Service Organization Controls let’s first cover what prompted the change.

Evolution of SAS 70

The original intent of SAS 70 was an audit of internal controls over financial reporting. This ensured that an MDF and Co-Op audit by a service provider used commonly accepted accounting methods and internal controls when compiling financial reports. SAS 70 was built off the ICFR (Internal Control over Financial Reporting) concept.

“Internal controls” refer to the procedures your service organization takes to reasonably ensure compliance with laws, regulations, accounting practices and your company’s policies. Under the ICFR framework, developed in the early 1990s, there are three types of internal controls:

  • Those that affect a company’s operations
  • Those that affect a company’s compliance with laws and regulations
  • Those that affect a company’s financial reporting

Frequently, a control may address more than one of these objectives. The Sarbanes Oxley Act of 2002 put a high level of emphasis on internal controls, which drove the adoption of the ICFR framework. SAS 70 emerged as the auditing standard for ensuring financial service providers had in place adequate internal controls and were adhering to those controls. This is very important when you consider the estimated $70 billion annually allocated to MDF and COOP programs.

SAS 70 came to life in 1992 as an audit of corporate ICFR frameworks. In 2004, SAS 70 became two standards. For user auditors SAS 70 remained an auditing standard, and for service auditors it became an attestation standard.

SAS 70 Becomes SSAE SOC 1 & 2

In April 2010, SAS 70’s guidance for service auditors was moved to Statement on Standards for Attestation Engagements (SSAE) No. 16. and a SOC 1SM Report. Shortly thereafter, SOC 2SM was issued which covered controls at a service organization that are relevant to security, availability, processing integrity, confidentiality, and privacy. To keep it simple:

A SOC 1SM Report – covers Internal Controls over Financial Reporting (effectively ICFR or SAS 70s original intent).

A SOC 2SM Report – covers systems availability and information policies and procedures.

The SM stands for “Service Management” as both are related to service providers.

Now if you followed all that, SAS 70 as related to its original intent of controls over financial reporting became SOC 1. SOC 2 became a catch-all for a bunch of other things that had been added to SAS 70 over the years.

It’s also important to note that SOC 2 has not had the acceptance level of SOC 1. Universally, everyone seemed to agree if SAS 70 compliance was required in the past you’d need an SSAE SOC 1SM report going forward. SOC 2 on the other hand was viewed as an unnecessary expense by many service providers. This thinking was spurred on by industry giants such as Google, when they began obtaining SOC 1 reports while ignoring the more relevant SOC 2.

Emergence of SOC 3 for MDF and Co-Op Audit

Now SOC 3 has emerged in an effort to get service providers on board with SOC 2. A SOC 3SM report covers the same ground as a SOC 2SM report in a shorter form (i.e., no description of tests of controls and results) with the added benefits of being lower cost and usable as marketing by the service provider.

Will SOC 3 succeed where SOC 2 failed? It’s still too early to tell. One thing is for certain, if you are going to let a service provider handle a significant amount of money with your MDF and Co-Op programs you should make sure they have a SSAE 16 SOC 1SM Attestation at a minimum.

Learn more about COOP Funds Management and our associated Professional Services offering.

Join the Discussion

Have something to add to this topic?

What happens in the Channel in 2021? How do we learn from 2020?Please take a listen to our #ChannelEdge discussion with 360insights CEO @jayatkins, as he shares what he learned from 2020 and what to expect for 2021. 

Listen here: https://okt.to/BaFdDk

#podcast #channeltrends

As the channel becomes more decentralized, vendors are under more pressure and are competing for share of voice and mindshare across an ever more varied channel eco-system. Is there a solution?

Our latest blog suggests there is, read on to find out: https://okt.to/K2CVzZ

Meet Kristy, Program Manager.
 
We’ve introduced Kristy as a part of our #dreamteam over on Facebook, check it out: https://okt.to/XLIm8A
 
#employeespotlight #careers #bestworkplaces

Want to accelerate your customer experience and markets by offering smarter, automated buyer promotions? 

You may find this success study showing how one brand achieved it insightful.

Read it here: https://okt.to/0AHPky

#casestudy #SuccessStory

The #OTAlumni Association Council is excited to announce the first 2021 speaker series: an evening all about workplace culture with @travisdutka, Culture Curator at @360insights and @OT_FBIT alumnus!

Register now: https://bit.ly/2XGXYcs

Load More...

What do you believe is the channel’s biggest challenge today?

Upcoming Channel Events

Are we missing an event? Tell us about it.

Channel Partners
May 4-7, 2020
VIRTUAL EVENT
SiriusDecisions
September 8-11, 2020
LAS VEGAS, NV
Channel Focus
Nov 17-19, 2020
NEWPORT BEACH, CA
360insights Relevance
Postponed
NEW ORLEANS, LA