Statement on Auditing Standards No. 70, or SAS 70 has become a widely recognized standard for service organizations that must demonstrate evidence of their control objectives and activities. The Standard was developed by the American Institute of Certified Professional Accountants (AICPA). A SAS 70 is not a traditional required audit like SOX. The controls framework and scope are determined by the service organization, not the auditor. The SAS 70 is not a ‘certification’ but rather a report that provides independent confirmation about the service provider's control environment. There are two SAS 70 reports, a Type I and a Type II. The Type I reports on the controls from a moment in time, essentially, an attestation that the controls exist and that they are adequate and appropriate for the stated control objectives. The Type II report actually requires that those controls be exercised and audited over some control period, typically 6-12 months. It is really the Type II report that consumers want to see.
Another interesting item about a SAS 70 report is that it is not a public document. The service provider is not at liberty to hand it out like candy to anybody who wants to see it. SAS 70s may usually only be released to customers who have the proper agreements in place. As a provider of cloud-based contact center solutions, NICE often receives requests for a SAS 70 and in 2010 we undertook the action of performing a SAS 70 audit of our data centers and data center controls. Customers who are under contract and that have a Non Disclosure Agreement (NDA) with NICE can request our SAS 70 information.
But that is not the end of the story…
Due to increased use of cloud providers and outsourcing as well as to address or correct the use of SAS 70 beyond its original intent, which was as an auditor-to-auditor report over financial controls, the AICPA is replacing the SAS 70 with the Statement on Standards for Attestation Engagements #16 or SSAE 16. After June 15, 2011 a SAS 70 will be replaced by SSAE 16. The SSAE 16 will retain much of the same terminology, such as Opinions, Controls and Control Objectives, but will now have three types of reports, the SOC 1, SOC 2 and SOC 3.
- SOC 1 - Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
- SOC 2 - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy – This report type will apply to NICE's SSAE 16.
- SOC 3 - Trust Services Report
And the answer for 2011is that NICE will perform an SSAE 16 audit for its data center controls, and that report will be available in early 2012.
Integrity, reliability and transparency are extremely valuable in the cloud services environment, and the SAS 70/SSAE 16, performed by an independent, reputable auditor is one of the many ways NICE works to ensure those essential elements to its customers.