MDF and Co-Op Audit – What’s the standard SOC, SAS 70, SSAE 16 ?
MDF and Co-Op audit what’s the standard SOC, SAS 70, SSAE 16?
What certification do I need my MDF and Co-Op service provider to have, and what’s the difference between SOC, SAS 70, SSAE 16? That question might not be exactly how every customer or prospect phrases it, but it seems to be what everyone wants to know. Over the last several years there have been changes in MDF and Co-Op audit standards, and customers and vendors are struggling to keep up. Hopefully, we can bring a little clarity to this situation.
SAS 70 was the MDF and Co-Op audit standard to look for in service providers prior to June 15, 2011. At that time the accounting profession adopted a new reporting framework called Service Organization Control (SOC). Before diving too deep into Service Organization Controls let’s first cover what prompted the change.
Evolution of SAS 70
The original intent of SAS 70 was an audit of internal controls over financial reporting. This ensured that an MDF and Co-Op audit by a service provider used commonly accepted accounting methods and internal controls when compiling financial reports. SAS 70 was built off the ICFR (Internal Control over Financial Reporting) concept.
“Internal controls” refer to the procedures your service organization takes to reasonably ensure compliance with laws, regulations, accounting practices and your company’s policies. Under the ICFR framework, developed in the early 1990s, there are three types of internal controls:
- Those that affect a company’s operations
- Those that affect a company’s compliance with laws and regulations
- Those that affect a company’s financial reporting
Frequently, a control may address more than one of these objectives. The Sarbanes Oxley Act of 2002 put a high level of emphasis on internal controls, which drove the adoption of the ICFR framework. SAS 70 emerged as the auditing standard for ensuring financial service providers had in place adequate internal controls and were adhering to those controls. This is very important when you consider the estimated $70 billion annually allocated to MDF and COOP programs.
SAS 70 came to life in 1992 as an audit of corporate ICFR frameworks. In 2004, SAS 70 became two standards. For user auditors SAS 70 remained an auditing standard, and for service auditors it became an attestation standard.
SAS 70 Becomes SSAE SOC 1 & 2
In April 2010, SAS 70’s guidance for service auditors was moved to Statement on Standards for Attestation Engagements (SSAE) No. 16. and a SOC 1SM Report. Shortly thereafter, SOC 2SM was issued which covered controls at a service organization that are relevant to security, availability, processing integrity, confidentiality, and privacy. To keep it simple:
A SOC 1SM Report – covers Internal Controls over Financial Reporting (effectively ICFR or SAS 70s original intent).
A SOC 2SM Report – covers systems availability and information policies and procedures.
The SM stands for “Service Management” as both are related to service providers.
Now if you followed all that, SAS 70 as related to its original intent of controls over financial reporting became SOC 1. SOC 2 became a catch-all for a bunch of other things that had been added to SAS 70 over the years.
It’s also important to note that SOC 2 has not had the acceptance level of SOC 1. Universally, everyone seemed to agree if SAS 70 compliance was required in the past you’d need an SSAE SOC 1SM report going forward. SOC 2 on the other hand was viewed as an unnecessary expense by many service providers. This thinking was spurred on by industry giants such as Google, when they began obtaining SOC 1 reports while ignoring the more relevant SOC 2.
Emergence of SOC 3 for MDF and Co-Op Audit
Now SOC 3 has emerged in an effort to get service providers on board with SOC 2. A SOC 3SM report covers the same ground as a SOC 2SM report in a shorter form (i.e., no description of tests of controls and results) with the added benefits of being lower cost and usable as marketing by the service provider.
Will SOC 3 succeed where SOC 2 failed? It’s still too early to tell. One thing is for certain, if you are going to let a service provider handle a significant amount of money with your MDF and Co-Op programs you should make sure they have a SSAE 16 SOC 1SM Attestation at a minimum.