IMGCAP(1)]Last month, the AICPA issued a set of standards that CPAs who do assurance engagements at service companies should examine carefully.
The AICPAs Statement on Standards for Attestation Engagements 16, Reporting on Controls at a Service Organization, is the U.S. attestation standard that is substantially equivalent to International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization. By June 15, 2011, all reports on controls at service organizations must be performed in accordance with SSAE 16 and/or ISAE 3402, at which point, the current SAS 70 audit reporting standard will no longer be utilized.
In an attempt to assist service organizations, their customers, and CPA firms, that are performing their initial research of the new standards, here are five significant points everyone needs to know about the SSAE 16 reporting standard:
1. SSAE 16 does not significantly overhaul the process of reporting on controls at a service organization. The standard instead provides a framework that aligns with the demands of globalization better than the current SAS 70 audit standard. Because the new standard was heavily based on the existing SAS 70 audit standard, the audit process and resulting report should seem very familiar to service organizations that have previously completed a SAS 70 audit.
2. SSAE 16 may be adopted early by service organizations prior to June 15, 2011; however, most anecdotal evidence indicates that early adoption will not be widespread. On the contrary, the majority of service organizations appear poised to undergo a final SAS 70 audit and use the next 12 months preparing for the transition. During this time, service organizations will have to assess whether they are going to have an assessment performed in accordance with SSAE 16, ISAE 3402, or both, based on their customers needs. These customers, also known as user entities, should contact their service organizations and request to be updated regarding the service organizations transition plan and selected reporting standards.
3. The new standards will require some modifications to the form and content of previous SAS 70 reports, with the most significant change being the addition of a management assertion section of the report. The management of service organizations will be required to provide a written assertion in the body of the report about the fair presentation of the description of the service organizations system, the suitability of the design of the controls, and in the case of a Type 2 report, the operating effectiveness of the controls. These assertions accompany managements description of its system. A separate management representation letter is still required to be provided near the end of the engagement. This change should not require substantial effort by most service organizations.
4. SSAE 16 introduces the concept that a service organizations management is responsible for specifying the suitable criteria that were used to prepare its system description. SSAE 16 provides the suitable criteria for the fairness of the presentation of a service organizations system description and the suitability of the design and operating effectiveness of its controls. Although the terminology is new, the concept is not. Selection of these criteria essentially determines whether an assessment will result in a Type 1 report (i.e., selection of the fairness of presentation and suitability of design criteria) or a Type 2 report (i.e., selection of the fairness of presentation, suitability of design and operating effectiveness criteria). The selected criteria are included in the management assertion section of the SSAE 16 report.
5. Clients that utilize the inclusive reporting method, whereby controls of significant third parties, also known as subservice organizations, are included in the scope of the engagement, will now be required to obtain managements assertion and a written representation letter from the subservice organizations. The service auditor will not be able to utilize the inclusive reporting method unless these requirements are met. This new requirement will cause a significant reduction in the application of the inclusive method in the likely event that subservice organizations refuse to comply for liability reasons.
This list is just the tip of the iceberg as it relates to the new service organization reporting standards. However, these are the items that organizations need to know today. There are many other important issues that could be on a longer list, such as new requirements for the use of internal audits work product, or prohibitions on the use of evidence obtained during prior assessments. Grasping the topics above is a critical first step toward gaining an understanding of SSAE 16.
For those seeking further information about SSAE 16, please note that the standard is not freely distributed by the AICPA, but may be purchased
Chris Schellman is the president and founder of service audit provider
