SAS 70 is over 18 years old and has begun to show its age. It was born before SOX or HIPAA existed, although not before COBIT. Two years ago the AICPA started looking at replacing SAS 70.

The result is SSAE 16, which must be used for any service auditor report that ends on or after June 15, 2010. The new reports on requirements for SSAE 16 get the title Service Organization Control 1 (SOC1).

You now need a SOC to have SOX.

SOC1 differs from SAS70 in the following four ways:

• Focus: It only is meant to be used when a service organization affects the internal control over financial reporting (“ICFR”) for service users (e.g. tenants)
• Risk basis: A service organization’s management will have to explain how all aspects of their services and control objectives are reasonable given the risk. They need to identify risks and related control objective in their description and explain how controls are deployed to mitigate the identified risks.
• Period: The system description must cover the entire period of testing for operational effectiveness, rather than just the close of the period of operational effectiveness
• Assertion: The report is an attestation standard rather than just audit. A service organization’s management will provide a detailed assertion for the auditors. This documented assertion is included with the SOC 1 report.

SOC1 is just the start. SOC2 comes next. Like a SAS 70 it intends to meet the need of customers with regard to governance over service organizations. Unlike a SAS 70 it is meant to address operations and risk outside the internal financial controls. Service providers, in other words, should use a SOC2 instead of SOC1. SOC 3 is a lighter version — lacks the detailed test results of a SOC 2 — meant for a general audience.

SOC2 is based on the Trust Services Criteria (previously known as SysTrust and WebTrust criteria). It will give guidance with a SAS70-like report and criteria/objectives, which controls should meet when they are put in place. It is meant to cover risk categories of Confidentiality, Integrity and Availability.

Send comments now to the AICPA on their Privacy Maturity Model

The PMM, based on Generally Accepted Privacy Principles (GAPP), outlines the expectations on each of the six levels of maturity in the Capability Maturity Model for each of the 73 criteria in GAPP. The PMM recognizes that an organization’s privacy practices may be at various levels or stages and that based on the organization’s privacy risk assessment, not all privacy initiatives need to reach the highest level. The PMM can serve as a valuable benchmarking tool and serve as a guide as to how practices in a certain area could be improved and strengthened.

Individuals and organizations are invited to submit comments on the PMM and attached user guide. Feel free to make comments directly on the draft documents by tracking changes and adding comments. To be considered, comments must be sent to nicholas.cheung@cica.ca by October 1, 2010.

The first set of questions I will raise with them (meeting this afternoon) are related to multi-tenant and multi-jurisdiction environments — cloudy privacy. The second question set is related to the optimized level. I have always found that organizations tend not to aim beyond a level three. Is five really meant to be practical or are four and five just holy grail stuff?

The National Irish Bank has issued a report that urges the government to reduce ATM withdrawals

National Irish Bank said in its report, “Target 2013: Modernizing Payments In Ireland,” that ATMs are the principal way many consumers access cash, and the government should try to influence people to reduce cash withdrawals from ATMs in favor of a greater use of debit cards and other electronic payments. The study said by moving to electronic payments and away from cash and checks, the country would save 1 billion euros (U.S. $1.3 billion) annually or about 680 euros (U.S.$869) per household.