Service organizations and companies that rely upon these third-party service providers are in for a change. For years, service organizations had an independent CPA firm perform an audit in accordance with Statement of Auditing Standards No. 70 (SAS 70). These SAS 70 reports were provided to customers and their auditors to provide assurance they had effective internal controls related to the services being provided. On June 15, 2011, SAS 70 was effectively replaced by Statement on Standards for Attestation Engagements No. 16 (SSAE 16), which will bring added complexity while increasing the quality and utility of these engagements.
“More companies today are outsourcing different parts of their business to third-party service organizations,” says Tony Munns, who leads the IT risk advisory team at Brown Smith Wallace LLC, St. Louis, Mo. “These outsourcing relationships expose companies to additional risks related to the service organization’s systems. While activities can be outsourced, these companies still remain responsible for risk management. These standards allow service organizations to provide assurance to customers that their responsibilities are understood and being handled properly.”
Smart Business spoke with Munns about the change from SAS 70 to SSAE 16 reporting and what service organizations and their customers need to know to meet the new standards.
What are the different types of engagements that can be performed?
The AICPA has introduced three types of service organization control (SOC) reports to address controls at a service organization.
SOC 1 — This is very similar to the old SAS 70. It focuses on controls relevant to customers’ financial reporting processes. A SOC 1 engagement is generally used to provide assurances to customers and their auditors concerning their financial reporting processes.
SOC 2 and SOC 3 — These engagements are designed to focus on security, availability, processing integrity, confidentiality, or privacy principles at the service organization. These engagements allow service organizations to address certain compliance and operational risks that are often very important to customers.
In addition to SOC 1, 2 and 3, there are other AICPA attestation standards that allow auditors to perform engagements to report on a number of different subject matters.
Why do service organizations have these examinations performed?
Customers want to have confidence in the quality and reliability of activities being performed by their service providers. These engagements help service organizations build trust with customers related to their service delivery processes and controls. Some service organizations view these engagements as an opportunity to differentiate themselves from their competition, while others just see them as the cost of doing business.
How will the new standards impact service organizations?
Most importantly, service organizations now have the option to focus these engagements on areas of risk that may be important to their customers. Service organizations need to make sure they understand the needs of their customers and discuss the various options to arrive at the appropriate type of engagement.
The new standards also will place additional responsibilities on the service organization to ensure the comprehensiveness and accuracy of the information contained in the reports. Service organizations will now be responsible for providing a written assertion about the fairness of the presentation of the description of their system as well as the suitability of the design and operating effectiveness of their controls. SAS 70 allowed service organizations and auditors some flexibility regarding the scope of the engagement, which resulted in some engagements not fully addressing the customers’ needs. The new standards should help to improve the quality of these reports.
One other important aspect of the change is that SSAE 16 is based on international standards. This increases service organizations’ ability to utilize these reports on an international basis.
Does this address a service organization’s security and privacy practices?
Some organizations have incorrectly used a SAS 70 to give assurances to customers regarding their security and privacy practices. While a SAS 70 often included testing of security controls specified by the service organization, it generally did not evaluate security and privacy practices against a comprehensive and objective standard. SSAE 16 allows a service organization to do so. SOC 2 and SOC 3 engagements focus on controls addressing security, availability, processing integrity, confidentiality and the privacy of its systems and information.
How do these changes impact customers of service organizations?
These companies need to be aware of the changes and which reports best serve their needs. Companies need to understand what is being outsourced and what important risks and responsibilities are being addressed by the service provider. This will help guide what types of assurances your company requires and the reports that address those needs.
What should a service organization be doing now to prepare for the transition to SSAE 16?
Evaluate whether you have the appropriate system of internal controls, policies and procedures. People are sensitive about the impact of data breaches and the security of information, and it’s important to be able to assure clients that you are managing data with the highest integrity. The new standards impose some additional responsibilities upon the auditor and organization. While the impact will vary for each organization, service organizations should establish a defined transition approach to reduce the potential for surprises.
Tony Munns is the leader of the IT advisory team at Brown Smith Wallace LLC, St. Louis, Mo. Reach him at (314) 983-1297 or firstname.lastname@example.org.