Last month, the AICPA issued a set of standards that CPAs who do assurance engagements at service companies should examine carefully.
The AICPA’s Statement on Standards for Attestation Engagements 16, “Reporting on Controls at a Service Organization,” is the U.S. attestation standard that is substantially equivalent to International Standard on Assurance Engagements 3402, “Assurance Reports on Controls at a Service Organization.” By June 15, 2011, all reports on controls at service organizations must be performed in accordance with SSAE 16 and/or ISAE 3402, at which point, the current SAS 70 audit reporting standard will no longer be utilized.
In an attempt to assist service organizations, their customers, and CPA firms, that are performing their initial research of the new standards, here are five significant points everyone needs to know about the SSAE 16 reporting standard:
- SSAE 16 does not significantly overhaul the process of reporting on controls at a service organization. The standard instead provides a framework that aligns with the demands of globalization better than the current SAS 70 audit standard. Because the new standard was heavily based on the existing SAS 70 audit standard, the audit process and resulting report should seem very familiar to service organizations that have previously completed a SAS 70 audit.
- SSAE 16 may be adopted “early” by service organizations prior to June 15, 2011; however, most anecdotal evidence indicates that early adoption will not be widespread. On the contrary, the majority of service organizations appear poised to undergo a final SAS 70 audit and use the next 12 months preparing for the transition. During this time, service organizations will have to assess whether they are going to have an assessment performed in accordance with SSAE 16, ISAE 3402, or both, based on their customers’ needs. These customers, also known as user entities, should contact their service organizations and request to be updated regarding the service organization’s transition plan and selected reporting standards.
- The new standards will require some modifications to the form and content of previous SAS 70 reports, with the most significant change being the addition of a “management assertion” section of the report. The management of service organizations will be required to provide a written assertion in the body of the report about the fair presentation of the description of the service organization’s system, the suitability of the design of the controls, and in the case of a Type 2 report, the operating effectiveness of the controls. These assertions accompany management’s description of its system. A separate management representation letter is still required to be provided near the end of the engagement. This change should not require substantial effort by most service organizations.
- SSAE 16 introduces the concept that a service organization’s management is responsible for specifying the suitable “criteria” that were used to prepare its system description. SSAE 16 provides the suitable criteria for the fairness of the presentation of a service organization’s system description and the suitability of the design and operating effectiveness of its controls. Although the terminology is new, the concept is not. Selection of these criteria essentially determines whether an assessment will result in a Type 1 report (i.e., selection of the “fairness of presentation” and “suitability of design” criteria) or a Type 2 report (i.e., selection of the “fairness of presentation”, “suitability of design” and “operating effectiveness” criteria). The selected criteria are included in the management assertion section of the SSAE 16 report.
- Clients that utilize the “inclusive” reporting method, whereby controls of significant third parties, also known as subservice organizations, are included in the scope of the engagement, will now be required to obtain management’s assertion and a written representation letter from the subservice organizations. The service auditor will not be able to utilize the “inclusive” reporting method unless these requirements are met. This new requirement will cause a significant reduction in the application of the “inclusive” method in the likely event that subservice organizations refuse to comply for liability reasons.
This list is just the tip of the iceberg as it relates to the new service organization reporting standards. However, these are the items that organizations need to know today. There are many other important issues that could be on a longer list, such as new requirements for the use of internal audit’s work product, or prohibitions on the use of evidence obtained during prior assessments. Grasping the topics above is a critical “first step” toward gaining an understanding of SSAE 16.
For those seeking further information about SSAE 16, please note that the standard is not freely distributed by the AICPA, but may be purchased here. ISAE 3402 is freely distributed in PDF form and may be obtained at here. And of course, service organizations can always obtain further guidance by contacting our team at www.schellman.com.
About CHRIS SCHELLMAN
Chris Schellman is the CEO and Founder of Schellman & Company, LLC, which is an accredited CPA Firm, PCI QSA Company, ISO 27001 Registrar, FedRAMP 3PAO, and a HITRUST CSF Assessor. He began his career focusing on IT audits and SAS 70’s and has now contributed to nearly 2,000 SOC examinations.