<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1977396509252409&amp;ev=PageView&amp;noscript=1">

SUITE OF SERVICES services menu

Hamburger-menu.png
MobileSearchIcon.png
Brightline-BlogBanner.jpg

THE SCHELLMAN ADVANTAGE BLOG

< BACK TO BLOG HOME

open-issues-with-ssae16.jpg

Updated - Open Issues with SSAE 16

Written by CHRIS SCHELLMAN on Aug 19, 2010

[Created - 25 May 2010]
[Last Updated - 19 August 2010]

In this blog post, I intend to maintain a list of issues I note with SSAE 16. I post these issues hoping that they will not linger like so many of the issues in the SAS 70 audit standard.

I acknowledge that some of these issues are topics that should be handled in the audit guide, and hopefully they will be. However, the audit guide is not expected until 2011 and the standard allows for early adoption. In light of this, many of the following items are needed now.

So in no particular order:

  • NEW - Inconsistencies in the Language and Punctuation Between the Common Sections of the Management Assertion Examples
  • No Sample Reports
  • No Subservice Organization Management Assertions Examples
  • No Service Organization Management Representation Letter Examples
  • No Subservice Organization Management Representation Letter Examples
  • Paragraph Subtitles in Opinion Letter Examples
  • Type 1 Carve Out and Inclusive Methods Missing
  • Inconsistencies in Opinion Letter Language
  • Use of the Term "Their" in Inclusive Method Reporting
  • Typos

Want us to add an issue? Think we’re wrong about a topic? Let us know and we will be happy to update the topics accordingly.


No Sample Reports

(Originally Posted 5.25.2010)

As a service audit firm, I am confident in our ability to issue an SSAE 16 report today. However, it is asking a lot of service audit firms to perform audits for “early adopters” without providing example report and greatly increases the risk of form and content errors in reports.

Suggested Solutions to the ASB: Provide comprehensive example Type 1 and Type 2 SSAE 16 reports.


No Subservice Organization Management Assertion Examples
(Originally Posted 5.25.2010)

This is a significant hole in the current guidance. An experienced service auditor could draft these, but the lack of guidance is a gaping hole in the guidance.

Suggested Solution for the ASB: Provide subservice organization management assertion examples as soon as possible.


No Service Organization Management Representation Letter Examples

(Originally Posted 5.25.2010)

Self-explanatory.

Suggested Solution for the ASB: Provide management representation letter examples for Type 1 and Type 2 examinations.


No Subservice Organization Management Representation Letter Examples

(Originally Posted 5.25.2010)

A long-time issue in the SAS 70 audit guidance rears its ugly head in SSAE 16, but now, it’s an even bigger issue. Given that subservice organizations are essentially required to provide management representation letters, the lack of example subservice organization management representation letters leaves all service auditors to fend for themselves.

Suggested Solution for the ASB: Provide subservice organization management representation letter examples for Type 1 and Type 2 examinations.


Paragraph Subtitles in the Opinion Letter Examples

(Originally Posted 5.25.2010)

A historical weakness of the SAS 70 audit standard and related audit guide is a lack of clarity when referring to specific opinion letter paragraphs. Paragraphs had no specific labels/subtitles. In the case of Type 2 audits, there are actually two opinion paragraphs; however, the guidance typically only referred to “the” opinion paragraph. In short, this issue increased the risk that of service auditor confusion and error.

My assumption is that the insertion of subtitles in the SSAE 16 sample opinion letter examples is an attempt to improve the guidance. The subtitles allow for easier references to specific paragraphs within the opinion letter, and from that perspective, they are an improvement. However, they are not described as required components of a service auditor’s opinion letter, and I assume, perhaps incorrectly, that the ASB did not intend for them to be included in actual reports.

We have discussed this issue with the AICPA. We were informed that it is auditor preference given that the subtitles are in the example language, but are not required component of the opinion letter. Given that other similar auditor’s reports do not use subtitles, my hope is that subtitles will not become normal and customary for SSAE 16 opinion letters.

Suggested Solution for the ASB: Clarify whether subtitles should be included in an actual service auditor’s opinion letter so that, at the very least, there is consistency.


Type 1 “Carve Out” and “Inclusive” Reporting Methods Missing

(Originally Posted 5.25.2010)

The nuance differences are minor but do exist. Certain assumptions have to be made unnecessarily when drafting a Type 1 opinion letter using either method in the absence of Type 1 example language.

Suggested Solution for the ASB: Add Type 1 examples and remove ambiguity.

 


Inconsistencies and Typos in Opinion Letter Language

(Originally Posted 5.25.2010)

There appears to be “inconsistencies” between base language of example Type 1 templates and between Type 1 and Type 2 templates. As best I can tell, this is simply a lack of attention to detail. One example:

A68. Example 1: Type 2 Service Auditor’s Report (Excerpt, page 60, emphasis added)

“XYZ Service Organization is responsible for preparing the description and for the assertion…”

A68. Example 1: Type 2 Service Auditor’s Report (Excerpt, page 63, emphasis added)

“XYZ Service Organization is responsible for preparing the description and for its assertion…”

A68. Example 2: Type 1 Service Auditor’s Report (Excerpt, page 64, emphasis added)

“XYZ Service Organization is responsible for preparing the description and for its assertion…”

A68. Example 2: Type 1 Service Auditor’s Report (Excerpt, page 67, emphasis added)

“XYZ Service Organization is responsible for preparing the description and assertion…”

 

 

 

Suggested Solution for the ASB: Perform quality assurance reviews on all sample opinion letter language and eliminate any inconsistencies in “base” language.


Use of the Term “Their” in Inclusive Method Reporting

(Originally Posted 5.25.2010)

For reasons that are beyond me, the “inclusive” reporting method guidance changes the term “its” to “their” when referring to the system within the scope paragraph, as shown below:

“We have examined XYZ Service Organization’s and ABC Subservice Organization’s description of its their [type or name of] system for processing user entities’ transactions…”

“their” system?

That sound you hear is legal bloggers posting article after article about the best reason subservice organizations should not agree to be included in the scope of an SSAE 16 examination.

Within the same scoping paragraph, the following statement is required when using the inclusive reporting method:

“XYZ Service Organization’s description includes a description of ABC Subservice Organization’s [type or name of] system used by XYZ Service Organization to process transactions for its user entities, as well as relevant control objectives and controls of ABC Subservice Organizations.”

Contradictory? I think so.

Suggested Solution for the ASB: Do not use the term “their” or imply that subservice organization’s have any responsibility for the service organizations system description or underlying controls. Additionally, use wording similar to the following:

We have examined XYZ Service Organization’s description of its [type or name of] system for processing user entities’ transactions and ABC Subservice Organization’s description of its [type or name of] system for XYZ Service Organization’s as of [date] to [date] (the “description”) and the suitability of the design of XYZ Service Organization’s and ABC Subservice Organization’s controls to achieve the related control objectives stated in the description.


Typos

(Originally Posted 5.25.2010)

The sample paragraph on page 67 has deletions to the standard language that are not indicated. Given that deletions are indicated in other examples, they probably should be consistently marked here.

Suggested Solution for the ASB: Consistently mark deviations from the standard language in all examples.

Topics: SSAE 16 / ISAE 3402

CHRIS SCHELLMAN

MEET THE WRITER

CHRIS SCHELLMAN

CEO AND PRESIDENT

Chris Schellman is the President and Founder of Schellman & Company, Inc., which is an accredited CPA Firm, PCI QSA Company, ISO 27001 Registrar, FedRAMP 3PAO, and a HITRUST CSF Assessor. He began his career focusing on IT audits and SAS 70’s and has now contributed to nearly 2,000 SOC examinations.

COMMENTS