New assessment tools will change the way some companies provide assurances over their processes and control environments to their customers and business partners.
The now ubiquitous SAS 70 report is changing.
The SAS 70 report is an assurance tool that auditors use to address business processes that have an impact on the financial statements of those relying on them. However, the SAS 70 has become in the past years, inappropriately so, the assurance tool many companies put their trust in as it relates to how their service providers protect personal information.
The now ubiquitous SAS 70 report is changing.
But change is coming. In 2010, expect the American Institute of Certified Public Accountants (AICPA) to launch the overhaul of service organization reporting. The new assurance tool, which will be under a different title, will allow the inclusion of controls that are beyond those of the integrity of financial information, thereby allowing the report to address privacy and data protection controls, among other controls.
The prevalence of SAS 70 and the existing reliance on this report for general vendor management considerations suggests that the new reporting standard will have a significant impact for many organizations. Organizations will reassess the type of audits they undergo and the type of control frameworks they expect their vendors to adopt.
The AICPA has previously developed privacy criteria titled Generally Acceptable Privacy Principles (GAPP). Many organizations have used the GAPP in developing their privacy programs and some have already audited their programs based on these criteria. It is the GAPP that is most likely to be used as the criteria for privacy and data protection in the new service organization reporting standards.
Ask yourself
In serving your business partners, have you:
- Assessed your current reliance on SAS 70 reports in your vendor management process for broader data protection purposes?
- Identified the extent of privacy and security controls you would like to have assessed as part of the audits they undergo?
Related content: SAS 70
