Frequently there is a discussion from service organizations regarding which of these an organization should complete. Many service organizations get a significant amount of requests related to information technology controls and security. The requests come in different forms, whether it be for SAS 70 reports (changing to SSAE 16 reports after June 15, 2011), completed questionnaires, and sometimes for on-site audits by the user organizations. Some of the pros and cons of each are briefly described below.
SAS70/SSAE 16 – Designed to support user auditors in the performance of a financial statement audit. Pros: Only licensed CPAs with appropriate technical training can perform these services. These internal control reports are customized to each service organization so every report is at least a little different. Cons: Reports are often long and difficult to read through. The timing of the reports may not correspond with the timing of the requests from user organizations.
FISAP – Designed to unify the questionnaires sent to organizations that provide services to the banking industry. Pros: Standardized and comprehensive questionnaire (Level 1 about 100 questions, Level 2 about 400 questions, Full more than 1,000). IT centric. Related domains can be incorporated into other audits including a SAS 70/SSAE 16 audit. Cons: IT centric is a con too considering it ignores business process controls. Any individual company can complete a FISAP questionnaire (or Agreed Upon Procedures/AUP examination for that matter) there are no rules governing this and no enforcement organization like the AICPA.
ISO 27002 – Designed to establish guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. Pros: Widely adopted as the standard in which to govern the IT side of the business. Cons: The standards cannot by their very nature take into consideration the intricacies and nuances associated with every service organization and therefore are often difficult or impossible to implement.
The best thing a service organization or service auditor can do is to incorporate those IT security domains and principles that are relevant. FISAP and ISO 27002 can and should be contemplated during the performance of a SAS 70/SSAE 16.