How are the new standards going to impact service organizations?
The service auditor is required to obtain the following written assertions from management of the service organization about the subject matter of a Type 2 engagement:
- That management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented throughout the specified period.
- That the controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed throughout the specified period to achieve those control objectives.
- That the controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives.
How will the changes impact the way the service auditor performs audits?
The service auditor may not use evidence obtained in prior engagements about the satisfactory operation of controls in prior periods to provide a basis for a reduction in testing, even if that evidence is supplemented with evidence obtained during the current period. In addition, the service auditor is required to identify in the description of test of controls any tests of controls that were performed by internal auditors and the service auditor’s procedures with respect to that work.
Finally, the service auditor’s examination report must contain the required report elements identified in SSAE No. 16.
What can a business begin doing now to prepare for the change?
To comply with the changes, service organization auditors will need to update existing reports to conform with the new requirements and engage with their customer to understand their reporting needs. By engaging customers in the planning process, they can ensure that they are equipped to meet the needs of those customers.
Additionally, contracts that state SAS standards should be updated, assertions should be written and added to reports, a risk assessment process should be implemented and representation updates should be updated to reflect the new requirements. In addition, service organizations should corroborate across their legal counsel, sales team, customer operations and other areas of management that may be impacted to make sure that the new requirements are properly applied.
On the other side of the equation, customers that receive these reports from service organizations should speak with their auditors to make sure they understand the implications of the change. In addition, they should be talking with their service organizations to make sure the organizations understand their specific needs before the rules go into effect in June.
The change in standards from SAS 70 to SSAE 16 presents a challenge to businesses, and it would be unwise to wait until the June 15 implementation date to begin addressing them. By starting now, and employing outside advisers to assist with the transition, service organizations can position themselves to minimize the impact, time and effort it will take to implement the change.
Steve Schmidt, CPA, is an associate director in assurance services at SS&G. Reach him at [email protected].
