Here's a session I sat through at the AICPA Practitioners /Tech + Conference in Vegas

It's a long video, but it's worth it.  By the way, I asked Chris a question at the end about using technical specialists on SOC 2 engagements.

A Blog Post to Fear

Dear Fear,

I am blogging this to inform you that you do not scare me.  This week I have seen the effect that you have on people, and have suffered the harm that they caused me as a result of their fear.  You should know that even that did not scare me because I understand you.

Take this guy for example:
He does not scare me.  I know that he thinks that he is scaring me, and that I will go out and pay a lot of money to the first person who says they can prevent him from hacking my system, but here's the thing.  I see someone who is himself afraid.  

The first thing I noticed about him is that he is sitting on a couch in his apartment living room, or in his basement, with the staircase banisters behind him.  Why does he think I should be scared of him making a face at me from his apartment living room sitting on his couch that is too close to the stairs?  Is it just supposed to be implied that he is scary because he looks like a ghost that needs to brush his teeth?  

The second thing I noticed is that he has used a simple technology to disguise himself.  He has merely inverted the colors of the photo creating a ghost like appearance that I am supposed to be afraid of.  How stupid does he think I am?  I have Photoshop too.

Well, here is his real face. 
Not so scary now, huh?  You see, all I have to do Fear, is dissect you, and you are rendered powerless against me.  I simply have to understand the current manifestation of you fully, and then show you how you are not scary at all.  

In this guy's case he is probably not a real hacker, he's probably what real hackers call a "cracker."  Perhaps if you are not too busy trying to scare people, you can understand the difference by reading this description of a Hacker vs. a Cracker.

Okay Fear,  now that you understand where I am coming from, let's talk about what you have done to people in the risk assurance industry, and specifically in the SOC (formerly SAS70) reports market.  

The first thing you did was to introduce yourself as "SSAE16 replaces SAS70" and tell everyone that you were the only replacement for SAS70...even though the AICPA made it clear that SSAE16 is not designed to provide assurance regarding security, availability, processing integrity, confidentiality, or privacy.  

  • You told people that if everyone would just simply accept that "SSAE16 replaces SAS70", there would be nothing to fear because SSAE16 is just a little bit different than SAS70. 
  • You told service organizations that they could get by with just adding a Management Assertion to the beginning of the report, which they thought was a little bit scary because they have to put themselves on the hook, but not too scary because what they put themselves on the hook for is not that much.
  • You told them that if they did that and a few other things, then everything could go on as it had in the past, and there would be nothing to fear.

You convinced service auditors that if they promoted the "SSAE16 replaces SAS70" mantra,  they would not risk losing their clients.  

  • You made them afraid that requiring their clients to move to the more applicable SOC2 engagement would cause their clients to push back, and start shopping for a different service auditor.  
  • You told them to say that it was just a little change, did not require much effort, and would cause very little, if any increase in audit fees.  
  •  Fear, you convinced service auditors that the AICPA did not actually mean it when they said that SSAE16 is not designed to provide assurance regarding security, availability, processing integrity, confidentiality, or privacy.

Fast forward to today Fear.  You are convincing some people that understood the changes in the standards, and got it right the first time not to talk about it too loudly because they are afraid of what people might think.  You may have successfully silenced some, but you will not silence me or others like me who are not afraid of you.

As with the man above, I have dissected your current embodiment in the "SSAE16 replaced SAS70" confusion, and have exposed you for who you are.  Please see my post titled "When I See a Can in the Road, All I Want to do is Smash It" where I took a can of "Secure" and smashed it because it had a fictitious "SSAE16 Type II Certified" logo on it.

I understand you, and I am not afraid.  Fear has to do with punishment.  I am not afraid of being punished for saying "SSAE16 replaced SAS70"created confusion in the risk assurance market because it is true.  However, it may be an appropriate time to fear for those who caused the confusion last year by giving in to you, while knowing that there was more to the story.  Maybe you can spend your energy focusing on those people now?


The Risk Assurance Guy