In 2001, an international effort began to “converge” the disparate accounting standards of the world in order to provide a framework that better meets the demands of globalization. The various national standard setting boards have spent years cooperatively developing a single set of international standards to which countries are encouraged to adopt. In the United States, the American Institute of Certified Public Accountants (AICPA) is actively revising and re-codifying many US accounting standards to better align with these new international standards.
In April 2010, the AICPA issued Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, as the substantially equivalent US attestation standard to the new international standard for service organization reporting, International Standard on Assurance Engagements (ISAE) 3402. The international standard used the existing SAS 70 audit standard as its basis and incorporated changes. SSAE 16 uses ISAE 3402 as its basis, but includes some relatively minor differences. Both of the new reporting standards are very similar to the existing SAS 70 standard.
Key points for service organizations to consider:
- SSAE 16 does not significantly change the service organization reporting process. The effort required to transition to the new standard should be minimal from the service organzation’s perspective.
- SSAE 16 must be adopted for Type 1 report dates, or Type 2 review periods, ending on or after June 15, 2011. The standard may be adopted early, but there are significant indications that few service organizations intend to do so.
- Service organizations must consider whether the risks that threaten the achievement of the control objectives stated in their system description are identified and ensure that the controls described in the system description sufficiently mitigate those risks. Although there is no requirement that this procedure be formal or documented, it is highly advisable to update the risk assessment section of the report as evidence of compliance with this requirement.
- The most significant change to the report content is a required section known as a “management assertion” in which management of the service organization is required to provide a written assertion in the body of the report about the fair presentation of the description of the service organization’s system, the suitability of the design of the controls, and in the case of a Type 2 report, the operating effectiveness of the controls. Similar to opinion letter language, management assertion language is standardized.
- Service organizations may only utilize the “inclusive” reporting method if the subservice organization provides a similar management assertion and a written representation letter. In all likelihood, this change will result in a significant reduction in the application of the inclusive reporting method.
- Whereas the SAS 70 standard was a single standard that accounted for the performance of a SAS 70 audit by a service auditor, as well as the use of a SAS 70 report by a user entity and user auditor, SSAE 16 is only the attest standard for reporting on controls at a service organization. A separate audit standard will be issued to provide guidance on the use of a SSAE 16 by user entities and user auditors.
- A copy of the new standard may be purchased here.
A transition is coming and it will require some thoughtful consideration by service organizations. Service organizations are encouraged to begin discussing the impact of the transition with their CPA firm. An experienced service auditor will identify the impact of the changes on a particular audit and assist the service organization in achieving a seamless transition. And of course, service organizations can always obtain further guidance by e-mailing our team at email@example.com.
Tags: SSAE 16