How service companies and their auditors can smoothly transition from SAS 70 to SSAE 16

New attest standards go into effect on June 15, 2011, and the auditors of service organizations will have to change the way they report to their clients and their clients’ customer organizations. Service organizations that perform business services that impact their customers’ financial internal control environments — for example, outsourced payroll services — typically undergo a SAS 70 examination and will have to meet expanded reporting requirements under the new attest standard, says Sumit Kalra, a director in the San Jose office of Burr Pilger Mayer.

“Initial and ongoing additional effort is required to comply with the new professional attest statements,” he says.

Smart Business spoke with Kalra about the key changes to service organization reporting standards and what service companies can do now to ensure a smooth transition.

What is the SAS 70 standard and how is it changing?

Statement on Auditing Standards (SAS) No. 70 was issued by the American Institute of Certified Public Accountants (AICPA). It is currently the de facto standard utilized to report on internal controls of service organizations that are relevant to financial reporting of their customers. The resulting report is produced by the service organization’s auditor to communicate with its customers’ auditors. The report is used by the customers’ auditors to gain an understanding of the internal controls that may be relevant to a client organization’s internal controls as it relates to an audit of financial statements.

For the auditor of the service organization, SAS 70 standard is being replaced with Statement on Standards for Attestation Engagements (SSAE) 16. The AICPA released SSAE 16 in April 2010, and the standard is effective for report periods ending on or after June 15, 2011. Early adoption is permitted to allow companies to phase in compliance and avoid a last-minute rush.

[Visit Burr Pilger Mayer’s SAS 70 Compliance site for more information]

What are the key changes in the new standards?

Under the new attest standards, auditors of service organizations will be required to include in the report their clients’ written assertion outlining their responsibilities related to fair presentation of their systems, suitability of design and operating effectiveness to achieve the control objectives as they relate to financial reporting. However, if the organization renders a service that does not impact the financial reporting of its customers, based on the new guidance within SSAE 16, its auditors might find themselves reporting under the AICPA guide to be published in early 2011, titled ‘Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.’

Service organizations will also be required to disclose in the report issued by their auditors the suitability of the design criteria used to make the assertion and will need to perform a risk assessment to identify the risks and considerations for materiality that threaten the achievement of control objectives stated in management’s description of the system.