more-arw search

Out with the Old SAS 70, in with the New SSAE16 for Risk Management and Compliance

Service organizations have a new way for filing assurance reports.

As a reflection of the dwindling role national borders play in financial reporting, service organizations will now need to follow a different standard that more closely follows global standards from the International Auditing and Assurance Standards Board.

The American Institute of CPAs' Statement on Standards for Attestation Engagements No. 16, reporting on controls at a service organization, went into effect on June 15, 2011. It replaces the Statement on Auditing Standards No. 70, which had served as the main guidance on how service organizations issue assurance reports for nearly two decades.

The adoption of new standards was brought on by several factors, including an increasingly globalized IT and business environment, the continued "U.S. convergence with international standards," according to finance and advisory firm Grant Thornton. Another factor was the rise of regulations that require organizations to provide more information about their financial reporting internal controls, the firm says.

The main differences between SAS 70 and SSAE 16 include management's review of the auditor's report. According to the firm, management did not have to submit a written assertion with the audit under the old standard, but now it must do so, along with providing details about the "suitable criteria used for its assessment."

Additionally, subservice groups used by the service organizations under the inclusive method must also submit a written assertion with the auditor's report, and Type II reports need to contain "the opinion on fair presentation of the system and suitability of design for the period covered by the report," the firm says.

The AICPA says SSAE 16 procedures are the same or "more rigorous" than SAS 70, and also points out that compliance with either does not mean an organization becomes certified, but simply serves as "primarily an auditor to auditor communication" covering the controls relevant to financial statements.

For service organizations that previously conducted SAS 70 assurance reports, the transition to the new standard will not be as rough, as they will already have information about systems, services and controls, Grant Thornton says. Those groups who have never had an assurance report would do well to work with a service auditor who is familiar with both SSAE 16 and the IAASB's International Standard on Assurance Engagements 3402 to figure out how many audit reports they will need, whether their customers worldwide will expect them to be reporting with the new standards and to review their testing and monitoring processes (needed to back up the written management assertion).

When it comes to services organizations' customers, or "user entities," the system the provider employs to deliver the service can also put the entity at risk, law firm Sutherland Asbill and Brennan warns. The user entities are still responsible for complying with regulations and their stakeholders, and so can attain assurances about service organizations' systems through Service Organization Control reports 1, 2 and 3.

However, the standalone reports usually do not provide sufficient information about various aspects of the service organization's controls, and so user entities should be sure to demand enough data or report assurances to protect themselves from risk.

"The baseline position that customers should take in arrangements with outsource service providers is for the service organization to provide the customer with annual unqualified type 2 reporting for SOC 1 and/or SOC 2 (covering all applicable trust services principles) at the sole expense of the service organization," the firm advises.