Industry Insights

Service organizations may perform services that affect their clients’ financial reporting. Since it was issued in the early 90s, the Statement on Auditing Standards No. 70 (SAS 70) has guided service organization auditors in attesting to the effectiveness of the related internal controls at a service organization. The service organization’s users and the user’s auditors have relied on the resulting SAS 70 reports.

However, the transition to a global economy has produced a need for more uniform reporting standards. As a result, two new standards have emerged:  the International Standard on Assurance Engagements 3402 (ISAE 3402) and the closely related U.S. Statement on Standards for Attestation Engagements 16 (SSAE 16) released first quarter 2010 by the American Institute of Certified Public Accountants (AICPA). SSAE 16 will supersede SAS 70 beginning with reporting periods ending on or after June 15, 2011. For those service organizations that have been issuing a SAS 70 covering a 12-month period, the new standards may have an impact as early as July 1, 2010.

This article will summarize the key differences between SAS 70 and SSAE 16. Additional information, details and recommendations for making the transition will be provided in the form of upcoming articles, web postings and web presentations.

What Has Stayed the Same?

SSAE 16 continues the focus on reporting on controls at service organizations when those controls are likely to be relevant to their user entities’ internal control over financial reporting. SSAE 16 will have Type 1 and Type 2 reports similar in scope to the current SAS 70 reports. The format of the reports will not be significantly different. The current narrative description of controls is expected to be the basis for a more expanded description of the system provided by management. Services provided by subservice organizations may be included (inclusive method) or excluded (carve-out method) as with the current SAS 70. And as before, the intended users of the report are still restricted to the service organization’s management, users and user auditors.

What Has Changed?

The following highlights a number of key differences between SAS 70 and SSAE 16.

The Nature of the Standard

The first change is a technical one. The new standard is an attest standard, not an audit standard as the SAS 70 was. The service auditor will continue to provide an opinion, but the change provides more consistency with international standards and existing attestation standards.

Written Management Assertion

Management will be required to provide an assertion, and it will be included in or attached to the SSAE 16 report. The assertion is to state the system is fairly represented, suitably designed and implemented (as of a specific date for a Type I report; throughout the period for a Type 2 report); the related controls were suitably designed to achieve the stated control objectives (as of a specific date for a Type I report; throughout the period for a Type 2 report) and (for a Type 2 report) that the controls operated effectively throughout the period. Subservice organizations must provide a similar assertion when the inclusive method is used. In addition, the report will reference that management is responsible for preparing the system description, providing the stated services, specifying the control objectives, identifying the risks, selecting the criteria and designing, implementing and documenting controls that are suitably designed and operating effectively. The auditor’s opinion remains in the role of providing assurance, not as the entity responsible for the communication.

System Description

Much like the current narrative description of controls, management must prepare a written description of the system. The new description will be more inclusive than it has been for many organizations. The description must describe the services covered; classes of transactions and details on related procedures and accounting records; the capturing and addressing of significant events other than transactions; report preparation processes; control objectives and related controls; complementary user controls and other relevant aspects of the organization’s control environment, risk assessment process, information and communication systems, control activities and monitoring controls. If the inclusive method is being used, descriptions of the related control objectives and controls in place at the subservice organization must be included as well.

Risks to the Achievement of the Control Objectives

Management should identify the risks that threaten the achievement of the stated control objectives and evaluate whether the identified controls sufficiently address the risks to achieving the control objectives. This can be a formal or informal process, but we recommend a formal evaluation and documentation of the risks to the provided services that are to be addressed by the control objectives, and the risks to the control objectives and the controls identified to address those risks.

Other Changes

Other components of SSAE 16 diverge from the SAS 70, such as the need for the service auditor to disclose any reliance on internal audit and certain changes to the format of the service auditor’s opinion.

You BKD advisor can help assess the impact of the new standards on your organization, develop a timely transition plan and address the tasks necessary to prepare for a SSAE 16 examination. Please contact your BKD advisor for more information.