AICPA recently introduced a Statement on Standards applied to evaluate controls on services performed by a service organisation.
Cyber attacks have increased at an alarming rate in the Internet-powered e-business environment. Websites of government agencies, corporates and individuals are systematically attacked, increasingly using impeccably-engineered automated software for phishing and accessing critical information assets. Unlike other physical crimes such as automobile thefts or house burglary, crimes in the digital terrain are committed with lightning speed and precision.
Corporates are increasingly switching to new technologies on cloud computing, and outsource many functions to service organizations. These companies demand assurance from outsourced service providers, identifying risks and mitigating them. Approximately 42 per cent of cloud service providers follow the PCI DSS (Payment Card Industry Data Security Standard) standard. This global security standard applies to all organizations that engage in credit card business, intending to provide the credit card industry adequate controls for data integrity, authenticity, confidentiality and availability, designed to prevent potential financial or identity fraud and theft when using a credit card.
American Institute of Certified Public Accountants (AICPA) developed SAS 70 (Statement on Auditing Standards) in 1992, defining what an auditor should do to assess the internal controls of a service organization. This standard requires the auditor to categorise audit reports into Type I or Type II, customised at the request of the service organization or the user organization.
In a Type I report, the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors and misrepresentation. After assessing the controls in place within the organization, the auditor provides a Type II report, providing additional information on effectiveness of agreed-upon additional controls. Independent audit assessment builds credentials, customer's trust and confidence. Besides, Type II reports pinpoint operational deficiencies that need rectification.
Considering the recent technological innovations, AICPA replaced SAS 70 by the Statement on Standards for Attestation Engagements – SSAE No. 16 on June 15, 2011, on the lines of globally-accepted international accounting standards. This standard will be applied to evaluate controls on services performed by a service organization, and its internal control on financial reporting. The service organization may undertake an SSAE 16 engagement that mandates SOC 1 Report (Service Organization Control Report). Such a report highlights control deficiencies to the management of the service organization, the financial auditor of the service organization, and its customers.
Keeping in view the emerging marketplace requirements, AICPA has examined controls relevant to the security, availability, integrity, confidentiality or privacy of the information the system processes for customers and has designed appropriate guidance. The standard and guidance require preparation of SOC 2 Report and, in certain circumstances, even an SOC 3 Report, analysing and resolving key issues of controls.
When a company outsources a function to a service organization, it is important to sign up an SSAE 16 engagement with the service organization, as it may obtain mission critical information assets, such as patient information for medical claims for a health insurer. In such circumstances, the health insurer should insist on assurance from the service organization, such as the cloud service provider regarding the privacy of the key digital data. And the information system auditor should deploy the comprehensive checks required under the revised engagement standard SSAE 16, and prepare his report, ensuring security of the information system.
(The author is a Director-General, CAG Office.)