For many years (since April 1992) , third-party service organizations need a Statement on Auditing Standards (SAS) No. 70 in order to provide evidence that they have effective internal controls.
It is time to do more: To consider the Statement on Standards for Attestation Engagements (SSAE) No. 16.
In April 2010, the American Institute of Certified Public Accountants (AICPA) published the new Standard, SSAE No. 16, which supersedes the SAS 70 for performing an examination of a service organization's controls and processes.
In fact the AICPA has launched a new resource dedicated to Service Organization Control (SOC) Reporting including the new SSAE 16 standard
In SSAE No. 16, the entity that outsources a task or function is known as a user entity, and the entity that performs a service for user entities is known as a service organization.
An example of a service organization is an investment adviser that invests assets for user entities, maintains the accountability for those assets, and provides statements to user entities that contain information that is incorporated in the user entities’ financial statements, for example, the fair value of exchange traded securities, or dividend and interest income.
Another example of a service organization is a data center that provides applications and technology that enable user entities to process financial transactions.
In SSAE No. 16, an auditor who audits the financial statements of a user entity is known as a user auditor.
In auditing a user entity’s financial statements, the user auditor needs to obtain evidence to support assertions in the user entity’s financial statements that are affected by information provided by the service organization.
In some cases, the user entity is able to implement controls at the user entity over the service performed by the service organization.
In other cases, the user entity relies on the service organization to initiate, execute, and record the transactions.
In the latter case it may be necessary for a user auditor to obtain information about the effectiveness of controls at the service organization that affect the quality of the information provided to user entities.
The user auditor could visit the service organization and test the service organization’s controls that are relevant to the user entity’s internal control over financial reporting .
However, because many entities use the service organization, a number of user auditors may visit the service organization, require the assistance of service organization personnel, and disrupt the business of the service organization.
Another alternative is for the service organization to:
(1) Prepare a description of the service organization’s system, including the control objectives and related controls that are likely to be relevant to user entities’ internal control over financial reporting, and
(2) Engage a service auditor to report on the fairness of the presentation of the description, the suitability of the design of the controls, and in certain engagements, the operating effectiveness of the controls.
That report, including the description of the system, can be used by all the user auditors to obtain information about the controls at the service organization that are relevant to the user entities’ internal control over financial reporting.
Two Types of Engagements
SSAE No. 16 contains the requirements and guidance for a service auditor reporting on a service organization’s controls. It enables a service auditor to perform two types of engagements:
A type 2 engagement in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
A type 1 engagement in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Changes Introduced by SSAE No. 16
The following are some changes in the requirements for a service auditor’s engagement introduced by SSAE No. 16:
1. The service auditor is required to obtain a written assertion from management of the service organization about the subject matter of the engagement. For example, for a type 2 engagement, the service auditor would obtain a written assertion by management about whether in all material respects.
George Lekatis is the General Manager and Chief Compliance Consultant of Compliance LLC, a leading provider of risk and compliance training and executive coaching in 36 countries.
George has more than 17,000 hours experience as a professional speaker and seminar leader. He has worked for more than 15 years as a management consultant and educator and has demonstrated exceptional presentation and communication skills.
George is the president of the Basel ii Compliance Professionals Association (BCPA, www.basel-ii-association.com), the largest association of Basel ii professionals in the world, and the Basel iii Compliance Professionals Association (BiiiCPA, www.basel-iii-association.com), the largest association of Basel iii professionals in the world.
George is also president of the Sarbanes Oxley Compliance Professionals Association (SOXCPA, www.sarbanes-oxley-association.com), the largest Association of Sarbanes Oxley professionals in the world
George is an expert witness, qualified to investigate and testify about risk and compliance management standards, policies, procedures, best practices, due care and due diligence.