June 15, 2011 – Tampa, FL – Effective today, the long standing SAS 70 audit standard for reporting on controls at a service organization is superseded by the SSAE 16 attestation standard. BrightLine CPAs & Associates, Inc. is pleased to announce that adoption of the new reporting standard is significant and that the firm has already been engaged to perform nearly 600 SSAE 16 examinations.
“The transition to SSAE 16 by service organizations has been remarkable. BrightLine has already completed a significant number of SSAE 16 examinations for clients that adopted the standard earlier than required,” said Chris Schellman, President of BrightLine. “As we work to complete nearly 200 such examinations during 2011, BrightLine is poised to become one of the world’s leading providers of SSAE 16 examination services.”
Statement on Standards for Attestation Engagements 16 (SSAE 16), formally titled “Reporting on Controls at a Service Organization”, does not significantly overhaul the reporting process but does include some noteworthy changes, which include:
- An increased focus on the proper application of the standard and use of the report
- Modifications to the form and content of the previous SAS 70 reporting format, including the concepts of specified criteria and management’s assertion
- Extension of requirements to subservice organizations that are likely to increase the application of the “carve-out” reporting method
The AICPA recently introduced a Service Organization Controls (SOC) reporting structure consisting of three types of reports, including SSAE 16. These SOC reports are designed to meet a specific user need and are comprised of the following:
- SOC 1 Reports: Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (i.e., SSAE 16)
- SOC 2 Reports: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
- SOC 3 Reports: Trust Services Report for Service Organizations
“Many changes are occurring simultaneously, and unfortunately for practitioners and service organizations alike, relevant professional guidance was only recently published,” said Schellman. “It is essential that service organizations verify the experience and knowledge of their prospective audit firm by asking about their specific SOC reporting experience, with a focus on the expertise and experience of the proposed project team members.”
Service organizations seeking further information on SOC reporting options, PCI DSS validation, or ISO 27001 certification may contact BrightLine for complimentary consultation.