New Attestation Standards Allow For Greater Choice, Transparency

December 19, 2011

By Angelique Carson, CIPP

One size does not fit all when it comes to trying to determine what type of audit report to use under the American Institute of CPAs’ new attestation standards. That’s according to Richard Hannmann of KPMG who recently co-chaired the IAPP KnowledgeNet “The Death of SAS70: SOC It To Me.”

The bicoastal meeting, which Hannmann co-chaired from Boston and KPMG’s Doron Rotman, CIPP, simultaneously co-chaired from San Francisco, aimed to identify IT and financial service organizations’ risks when it comes to third-party service providers; discuss the ways audits can be considered a good business practice; identify the types of reports available under the new attestation standard—Statement on Standards for Attestation Engagements (SSAE) No. 16—which recently replaced the nearly 40-year-old standard Statements on Auditing Standards (SAS) 70—and discuss which reports would be most useful to an organization’s needs.

As outsourcing to third parties becomes increasingly common and privacy and breaches dominate headlines, audits to measure internal data controls are of great interest to regulators and government oversight departments.

Therefore, ensuring accountability is essential when it comes to using third-party service providers, Rotman said. As more and more personal data is outsourced, there must be standards extended to the service provider on data accountability, security and integrity; use and onward transfer of data from one third party to another; contract management; data integrity, and the monitoring and enforcement of laws and regulations.

It’s essential that an organization has a repeatable and scalable process for the data lifecycle management before outsourcing processes to other organizations, Rotman said.

“It sounds very simple, it sounds basic. But unfortunately, a lot of organizations don’t always understand what types of information they collect and how the information is stored and shared with third parties. And you need to understand all of that before you can turn to a third party for any type of assurance,” Rotman said.

“Get your house in order first, before you transfer information. After you have your house in order, you can really turn to the service provider to say ‘How will you demonstrate that you also have your privacy house in order?’”

SOC 1, 2 and 3

Service Organization Control (SOC) reports are now replacing the SAS 70. Three types of reports are now available depending on an organization’s needs. While the SOC 1 report replaces the SAS 70 directly for financial reporting support, the SOC 2 and SOC 3 are based upon the Trust Services Principles of  security, availability, confidentiality, processing integrity and privacy—which allow organizations to meet the specific operational and compliance needs that apply to them, including security and privacy concerns related to the cloud.

SOC 1 focuses on internal control over financial reporting and is generally used when the service provider performs financial transaction processing. SOC 2 is a detail report like the SOC 1 and focuses on security, availability, processing integrity, confidentiality and/or privacy related to non-financial systems. Hannmann suspects that the government will shortly begin using SOC 2 as a regulatory tool.

“From a regulatory perspective, I can see that SOC 2 is going to be very popular and start to be visible,” he said.

SOC 3 is intended for those users who do not have a need for the detailed knowledge necessary for a SOC 2 report. It consists of a short report containing the auditor’s opinion and brief description of the system in scope. A website seal to demonstrate a level of compliance and proficiency can be posted to a servicer’s website upon receiving a successful “unqualified” SOC 3 report opinion. As such, it’s becoming a marketing tool for organizations aiming to demonstrate competency and compliance.

“So if your company is very proud of security…you now have a tool to reach out and say, ‘Hey, come to me.’ For an independent party to say that your system is reliable for processing information in terms of security and accuracy (processing integrity and availability), that’s a pretty strong statement,” Hannmann said.

In the end, accountability starts with the data controller, according to Rotman.

“To demonstrate trust around the value chain is a problem companies have been facing for a long time,” he said, adding that due diligence, contractual agreements and compliance monitoring can help to mitigate third-party risks. “You can outsource data, you can outsource services, but you cannot outsource accountability. That always stays within the organization that collects the information.”

 

IAPP KnowledgeNet events take place in cities around the world, and they are free and open to all IAPP members. For a list of upcoming KnowledgeNet events, visit here. To volunteer to host a KnowledgeNet event, contact us at knowledgenet@privacyassociation.org.