The FFIEC Handbooks and the SAS 70

October 8, 2010 Tom Hinkel Hot Topics 1 Comment Like

The FFIEC Handbooks and the SAS 70

I’ve written about the 6/15/2011 phase-out of the SAS 70 report in favor of the SSAE 16 series (SOC 1, SOC 2, SOC3) here and here. The AICPA isn’t expected to update their audit guide until sometime early next year, but financial institutions are anxious to get the FFIEC to comment, as the SAS 70 is mentioned no fewer than 31 times, and in a total of 8 of the 12 IT Examination Handbooks. It’s mentioned 10 times in the Information Security Handbook alone!

I predict that the FFIEC will remove all references to the SAS 70, or to any specific report for that matter, and replace them with generic references to “audit reviews” or “audit reports”. It will then fall to the financial institution to determine the most appropriate report for each service provider, based on their risk assessment. However, the service provider will deliver whatever report they decided to prepare, which may or may not match the report requested.

Tags

FFIEC SAS 70 Vendor Management

Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

tom.hinkel@safesystems.com

Write a Comment Cancel reply

You must be logged in to post a comment.

The FFIEC Handbooks and the SAS 70

Tags

Share

Write a Comment Cancel reply