CCSP Exam: Audit Types Replaced Since 2011

Obsolete Audit Types

Question

Which audit type has been largely replaced by newer approaches since 2011?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

SAS-70 reports were replaced in 2011 with the SSAE-16 reports throughout the industry.

The correct answer to the question is C. SAS-70.

Statement C refers to the Statement on Auditing Standards No. 70 (SAS 70), which was an audit standard that was first published by the American Institute of Certified Public Accountants (AICPA) in 1992. SAS 70 was designed to provide an auditor's opinion on a service organization's controls and processes relevant to financial reporting. The standard was widely used by service organizations to demonstrate their compliance with control objectives to their customers.

However, SAS 70 was criticized for its lack of guidance and clarity, leading to inconsistent and incomplete audits. Additionally, SAS 70 only provided a binary "pass/fail" opinion, which did not provide sufficient information for customers to assess the effectiveness of the controls being audited. In response to these criticisms, the AICPA replaced SAS 70 with two new standards: SSAE 16 and SOC 1 and SOC 2.

SSAE 16 (Statement on Standards for Attestation Engagements No. 16) was issued in 2010 and became effective in 2011. It replaced SAS 70 as the standard for reporting on controls at service organizations. SSAE 16 introduced several significant changes, including requiring service auditors to provide an opinion on the design and operating effectiveness of the controls being audited. Additionally, SSAE 16 introduced the concept of a "description of the service organization's system," which provides a detailed description of the service organization's processes, controls, and procedures.

SOC 1 and SOC 2 are two new reporting options introduced with the issuance of SSAE 16. SOC 1 reports are used to report on controls related to financial reporting, while SOC 2 reports are used to report on controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 1 and SOC 2 reports provide a more detailed and comprehensive view of a service organization's controls and processes than the previous SAS 70 standard.

In summary, SAS 70 was largely replaced by newer approaches, including SSAE 16 and SOC 1 and SOC 2, which provide more guidance, clarity, and transparency for customers seeking to assess a service organization's controls and processes.