How service organizations can make a smooth transition from SAS 70 to SSAE 16

New attestation standards go into effect on June 15, 2011, and as a result, auditors of service organizations will have to change the way they report to their clients.

A company that outsources a business task or function to another entity is known as a user entity, and an entity that performs for a user entity an outsourced business task or function that impacts a customer’s internal controls, such as payroll, is known as a service organization. Under the current rules, service organizations must undergo an SAS No. 70 audit. But under the new SSAE No. 16 standard, they will have to meet additional reporting requirements, says Steve Schmidt, CPA, an associate director in assurance services at SS&G.

“Prior to the issuance of SSAE No. 16, the requirements and guidance for service auditors and user auditors were included in Statement on Auditing Standards (SAS) No. 70, Service Organizations,” says Schmidt. “But the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board decided that the guidance for service auditors should be moved from the auditing standards to the attestation standards as part of its convergence project for audit, attest and quality control standards with international standards.”

Smart Business spoke with Schmidt about the key changes to the reporting standards and what service organizations can do now to begin to prepare for a smooth transition to SSAE 16.

What do business leaders need to know about the new attest standards?

Under SSAE No. 16, a service auditor will still have the availability to perform the following two types of engagements:

  • Type 1 engagements, in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and on the suitability of the design of the controls to achieve the related control objectives as of a specified date.
  • Type 2 engagements, in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives throughout a specified period.