MDF and Co-Op Audit – What’s the standard SOC, SAS 70, SSAE 16 ?

  • November 17, 2016

MDF and Co-Op audit what’s the standard SOC, SAS 70, SSAE 16?

What certification do I need my MDF and Co-Op service provider to have, and what’s the difference between SOC, SAS 70, SSAE 16? That question might not be exactly how every customer or prospect phrases it, but it seems to be what everyone wants to know. Over the last several years there have been changes in MDF and Co-Op audit standards, and customers and vendors are struggling to keep up. Hopefully, we can bring a little clarity to this situation.

SAS 70 was the MDF and Co-Op audit standard to look for in service providers prior to June 15, 2011. At that time the accounting profession adopted a new reporting framework called Service Organization Control (SOC). Before diving too deep into Service Organization Controls let’s first cover what prompted the change.

Evolution of SAS 70

The original intent of SAS 70 was an audit of internal controls over financial reporting. This ensured that an MDF and Co-Op audit by a service provider used commonly accepted accounting methods and internal controls when compiling financial reports. SAS 70 was built off the ICFR (Internal Control over Financial Reporting) concept.

“Internal controls” refer to the procedures your service organization takes to reasonably ensure compliance with laws, regulations, accounting practices and your company’s policies. Under the ICFR framework, developed in the early 1990s, there are three types of internal controls:

  • Those that affect a company’s operations
  • Those that affect a company’s compliance with laws and regulations
  • Those that affect a company’s financial reporting

Frequently, a control may address more than one of these objectives. The Sarbanes Oxley Act of 2002 put a high level of emphasis on internal controls, which drove the adoption of the ICFR framework. SAS 70 emerged as the auditing standard for ensuring financial service providers had in place adequate internal controls and were adhering to those controls. This is very important when you consider the estimated $70 billion annually allocated to MDF and COOP programs.

SAS 70 came to life in 1992 as an audit of corporate ICFR frameworks. In 2004, SAS 70 became two standards. For user auditors SAS 70 remained an auditing standard, and for service auditors it became an attestation standard.

SAS 70 Becomes SSAE SOC 1 & 2

In April 2010, SAS 70’s guidance for service auditors was moved to Statement on Standards for Attestation Engagements (SSAE) No. 16. and a SOC 1SM Report. Shortly thereafter, SOC 2SM was issued which covered controls at a service organization that are relevant to security, availability, processing integrity, confidentiality, and privacy. To keep it simple:

A SOC 1SM Report – covers Internal Controls over Financial Reporting (effectively ICFR or SAS 70s original intent).

A SOC 2SM Report – covers systems availability and information policies and procedures.

The SM stands for “Service Management” as both are related to service providers.

Now if you followed all that, SAS 70 as related to its original intent of controls over financial reporting became SOC 1. SOC 2 became a catch-all for a bunch of other things that had been added to SAS 70 over the years.

It’s also important to note that SOC 2 has not had the acceptance level of SOC 1. Universally, everyone seemed to agree if SAS 70 compliance was required in the past you’d need an SSAE SOC 1SM report going forward. SOC 2 on the other hand was viewed as an unnecessary expense by many service providers. This thinking was spurred on by industry giants such as Google, when they began obtaining SOC 1 reports while ignoring the more relevant SOC 2.

Emergence of SOC 3 for MDF and Co-Op Audit

Now SOC 3 has emerged in an effort to get service providers on board with SOC 2. A SOC 3SM report covers the same ground as a SOC 2SM report in a shorter form (i.e., no description of tests of controls and results) with the added benefits of being lower cost and usable as marketing by the service provider.

Will SOC 3 succeed where SOC 2 failed? It’s still too early to tell. One thing is for certain, if you are going to let a service provider handle a significant amount of money with your MDF and Co-Op programs you should make sure they have a SSAE 16 SOC 1SM Attestation at a minimum.

Learn more about COOP Funds Management and our associated Professional Services offering.

Join the Discussion

Have something to add to this topic?

Do you know who is the most impactful person in the buyer's journey?

Unpack the #buyer’sjourney and its relation to #marketingenablement and #investments with @forrester's @MariaChien and our own @StevenKellam6 in a #interactivedialog.

Watch it here:

Join us on April 27th as our UK Marketing Director, @dgould1969, hosts a LinkedIn Live Event to discuss all things #PartnerEnablement.

You won't want to miss it. Sign up to join the discussion now:

#partnerengagement #partnerjourney

Do you know the impact a successful channel incentive program can have on your business? Learn about all the benefits of an incentive program in our newest blog.

Read all about it here:

#Salesincentives #ChannelIncentives #ChannelEngagement

What makes a successful partner program?

Listen to the new episode of #ChannelEdge with Taylor Macdonald, SVP of Channel Sales at @sageintacct to learn the thought process and steps to build a successful partner program.

Listen to the full episode:

Load More...

What do you believe is the channel’s biggest challenge today?

Upcoming Channel Events

Are we missing an event? Tell us about it.

Channel Partners
May 4-7, 2020
September 8-11, 2020
Channel Focus
Nov 17-19, 2020
360insights Relevance