What are the factors driving the change?
The AICPA decided it was a good time to update and converge U.S. standards with the international standards, bringing them both in line. The key driver was the recently published international standard on Assurance Engagements 3402 (ISAE 3402) by the International Auditing and Assurance Standards Board (IAASB). ISAE 3402 was developed to provide an international standard for auditors to report on service organizations’ internal controls that are relevant to their customers’ controls over financial reporting.
Due to globalization of outsourcing, service organizations can now direct their auditors to perform their attest engagement under either or both SSAE 16 or ISAE 3402 standards, based on their customers’ reporting needs.
What can a business do now to prepare for the change?
Service organizations and their auditors will have to update existing reports to conform to the new requirements. The process will involve service organizations engaging with their customers to understand their reporting needs, SSAE 16 and/or ISAE 3402, and engaging them in the planning stage; updating contracts that explicitly state SAS 70; creating and implementing a risk assessment process; writing their assertions and adding them to the reports; updating representation letters to reflect new requirements; and updating specific sections of the report to reflect the new requirements. In addition, the service organization will have to corroborate with its legal counsel, customer operations, sales and other relevant members of its management team to apply the new requirements properly.
User organizations (customers) will also have to know the report they need and whether it satisfies their external auditors’ needs in a financial statement audit. Customers receiving these reports should discuss with their auditors the implications of a change to SSAE 16/ISAE 3402. Subsequently, customers should communicate the specific needs of their circumstances to the service organization prior to the start of the period for consideration in the next report.
Essentially, all parties will have to get organized in terms of the new requirements, plan the transition, educate impacted stakeholders and implement the changes.
Addressing this change can be challenging and you don’t want to wait until June 15, 2011, to get started. In addition, service organizations should consider employing external advisers to assist with the implementation of the changes. External advisers can use their knowledge of the standard and internal controls background to minimize the impact, time and effort it takes to implement the change.
Sumit Kalra is a director in the San Jose office of Burr Pilger Mayer. Reach him at (408) 961-6399 or [email protected].
