SAS 70 to SSAE 16… New Standards, Effective June 15, 2011
posted Jun 2, 2011 by Henry A. Silva, CPA, CGMA, MBA
Service auditor reports on controls at a service organization are changing. If your organization issues a Statement on Auditing Standards No. 70 (SAS 70) report, you need to be aware that the SAS 70 is being replaced by new standards. The new standards go into effect on June 15, 2011 and the auditors of service organizations will have to change the way they report to their clients and their clients’ customers. Service organizations that perform business services that affect their customers’ internal control environments typically undergo a SAS 70 examination. These service organizations will have to meet expanded reporting requirements under the new attest standards.
What is the SAS 70 standard and how is it changing?
SAS 70 was issued by the American Institute of Certified Public Accountants (AICPA). It is the standard utilized to report internal controls of a service organization that are relevant to financial reporting of their customers. The SAS 70 report is produced by the auditor of the service organization to communicate to the auditors of the service organization’s customers. The report is used by the customers’ auditors to gain an understanding of the internal controls that may be relevant to a client’s internal controls as it relates to the financial statement audit.
For the service organization’s auditor, the SAS 70 standard is being replaced by Statement on Standards for Attestation Engagements (SSAE) 16. The AICPA issued SSAE 16 in April 2010 but effective for service auditor reports with periods ending on or after June 15, 2011. Early adoption was permitted to allow organizations to phase in compliance.
What are the key changes in the new standards?
There are two major provisions that have been added within the new guidance:
- Management of the service organization is required to provide a written assertion about the fairness of the presentation of the description of the system, suitability of the control design, and the operating effectiveness of the controls (if the report is a type II).
- In a type II report, the service auditor’s opinion on the description of the service provider’s controls and systems will now cover a period of time (the same period of time covered by the service auditor’s tests of operating effectiveness of the controls).
However, if the organization renders a service that does not impact the financial reporting of its customers, based on the new SSAE 16 guidance, the auditors may find themselves reporting under the new AICPA guide, Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, which addresses nonfinancial information.
The fundamental premise of the service auditor report has not changed. The SSAE 16 report will remain as a report from service auditor to user auditor with the primary intent to provide information on the controls at the service organization relevant to the user organization’s financial statements, and is not intended to address controls on nonfinancial information. Both report types, type I and type II, will be still be available. The SSAE 16 report should not be used by the service organization as a marketing tool.
Why the change to SSAE 16?
The AICPA decided to update and converge U.S. standards with the international standards by bringing them in line. The major driver was the published international standard on Assurance Engagements 3402 (ISAE 3402) by the International Auditing and Assurance Standards Board (IAASB). ISAE 3402 was adopted to provide an international standard for auditors to report on service organizations’ internal controls that are relevant to their customers’ controls over financial reporting. Service organizations can now direct their auditors to perform this attest engagement under either SSAE 16 or ISAE 3402 standards based on their customers’ reporting needs.
Are you ready for the change?
Service organizations and their auditors will have to update existing reports to conform to the new requirements. The process will involve service organizations to understand the reporting needs of their customers, engage them in the planning stage, update contracts that state SAS 70, create and implement risk assessment process, write their assertions and adding them to the report, update representation letters to reflect new standards and update specific sections of the report to reflect the new requirements. User organizations (the customers) need to know what report they need and whether it will satisfy the needs of the external auditors in the financial statement audit. All parties need to get on the same page in terms of the new requirements, plan the transition, educate the stakeholders that will be impacted and implement the changes.
While the new standards will require some changes as noted above, it does not significantly change the practice and overall process of reporting on controls at a service organization. Many believe that the transition to SSAE 16 will be a relatively easy one but nonetheless, service organizations should consider using external advisors to assist in ensuring that the implementation of the changes is a smooth one. The external advisors can use their knowledge of the new standards and internal controls to minimize the impact, time and effort for the service organization.
If you have any questions or need assistance, please contact Henry Silva,CPA .