Reporting requirements for service organizations are about to change, which will require affected companies to devote additional time and resources in order to comply. Statement on Standards for Attestation Engagements No. 16 (SSAE 16), “Reporting on Controls at a Service Organization,” was issued April 2010, to bring the U.S. reporting standards for service organizations closer to those of the International Federation of Accountants (IFAC) and the International Auditing and Assurance Standards Board (IAASB).
Organizations already familiar with Sarbanes-Oxley, the Model Audit Rule and other controls-based audits and reporting requirements will have an advantage during the transition, but all service organizations should begin preparing for the new requirements soon as the deadline for adopting them is quickly approaching.
Smart Business spoke with Arshad Ahmed, CPA, CISA, of Crowe Horwath LLP, about how companies can take steps now to apply the standards in the most efficient manner.
Why was SAS 70 replaced?
The IFAC and the IAASB adopted International Standard on Assurance Engagements (ISAE) 3402 in December 2009, which is the first standard the international community has established on issuing reports on controls at service organizations. Here in the U.S., since 1992, service organizations — third-party vendors such as data processors, third-party administrators and fulfillment houses — found their guidance from the AICPA Statement on Auditing Standards (SAS) No. 70, ‘Reports on the Processing of Transactions by Service Organizations.’ When the Auditing Standards Board (ASB) sought to bring its standards closer to those of the IFAC and the IAASB, it signaled the end of SAS 70.
The changes will apply to reporting periods ending on or after June 15, 2011, with an option for early adoption. Many companies will need to submit required documentation to their independent auditor by the fall of 2010.
What are the main differences between SAS 70 and SSAE 16?
A report done under the guidance of SSAE 16 will require management to provide an assertion on their controls when the auditor is engaged, as the auditor’s opinion will be focused on management’s assertion.
Once the auditor is engaged, the scope of the report can only be altered if there is a ‘reasonable basis’ for the change such as discontinued operation of a segment or line of work or implementation of a new service offering. The determination by management that an area may not successfully pass testing would not be a reasonable basis for a change in scope.
In addition, the service organization will need to identify the potential risk of each control objective not being achieved, and determine the controls and activities the service organization has established to help ensure that the control objectives are achieved. Other major differences include:
- A more robust description of the system
- More information regarding significant changes to the system and controls during the time frame for type 2 reports
- An auditor’s report that covers the design of controls throughout the time frame rather than on the last day of the time frame as required under SAS 70
The look and feel of the report largely remains the same. There will be an opinion, a description of the environment provided by the service organization, control objectives, a section detailing the controls the auditor tested and how they were tested, and the results of their testing that support the control objectives, user control considerations and other information provided by the service organization.
How can organizations best prepare?
Begin with establishing a framework and basis for providing the management’s assertion. As the start of the reporting period approaches, define the scope of the report (systems, processes, services it covers) and provide the scope and control objectives to the external auditor, along with the management assertion and a summary of systems.
Throughout the reporting period, cooperate with the auditor by reporting any system changes and continue with the validation of controls through monitoring activities and/or testing. Consider changes in scope only if there is a ‘reasonable basis’ for the change.
Companies will also need to engage any third-party vendors and inform them of the new requirements in order to coordinate the preparation of the management assertions.
Once management identifies the start date of the next reporting period, it should quickly take steps to line up the necessary resources to handle the greater workload that compliance requires.
Are there other reporting options?
A service organization could have an AT 101 or AT 601 report issued. These reports are opinions on management assertions but do not have the same restrictions as an SSAE 16 report. The subject matter of the assertion could be any control or process of the organization; it is not limited to the financial controls the service organization’s customers’ financial auditors would be concerned with in conducting their financial audit. Both AT 101 and AT 601 reports could include additional information similar to that provided under an SSAE 16 or SAS 70 report. However, the opinion on management’s assertion is more limited under AT 101 and AT 601.
We anticipate some organizations providing both an SSAE 16 and AT 101 report as their customers want information to complete elements of a vendor compliance program, and typically such programs require more information than just elements that would be considered under a financial audit.
Arshad Ahmed, CPA, CISA, is a partner with Crowe Horwath LLP. Reach him at (214) 574-1000 or [email protected]