Why are you still being asked for a SAS 70 on RFPs?

Posted by: Robert Brenis CGEIT, CISA, CRISC, PMP
Wednesday, December 14, 2011

Because the people asking do not know about the changes that have been made.

On June 15, 2011, SAS 70s were broken into two different standards. A new standard (SSAE 16) and an existing standard (AT 101).

SAS 70 Replacement, SOC 1, SOC 2, SOC 3, AT101, SSAE16

These two different standards are used for two different reasons:

The SSAE 16 focuses on controls at service organizations likely to be relevant to user entities’ internal control over financial reporting.

The AT 101 focuses on controls that do NOT affect its clients’ internal control over financial reporting. 

There are five specific principles that can be addressed with this type of report:
  1. Security
  2. Availability
  3. Processing Integrity
  4. Confidentiality
  5. Privacy

What we can do is help determine which report is right for you and your user organizations.

For more information on your service organization's SOC Reporting needs, please leave a comment below or contact us at 440-449-6800.

Comments for Why are you still being asked for a SAS 70 on RFPs?

Leave a comment





Captcha