How immigration paperwork audit fines can catch employers by surprise

Kevin Smith, Partner, Crowe Horwath LLP

Think the odds of being fined for immigration law violations are slim to none? Think again. Even if every person working in your business is a legitimate U.S. citizen and/or eligible to work in the U.S., you can still run into trouble if you file immigration law paperwork with errors or omission or, worse, fail to file the papers at all.

Until recently, Form I-9 infractions have not been top of mind because it’s just a one-page form filled out during the new hire process. The odds of an ICE (U.S. Immigration and Customs Enforcement Agency) inspector showing up on your doorstep were miniscule. However, the risk has significantly increased over the last few years.

“This is the quickest and easiest employment law violation to find,” says Kevin W. Smith, a partner at Crowe Horwath LLP. “Inspections have been growing in number over the last three years, and it can cost up to $1,100 for each form containing an error.”

Smart Business learned more from Smith about how businesses can avoid having to pay for not having the proper immigration paperwork.

What should employers know about Form I-9?

In order to verify that all employees — citizens and noncitizens — are eligible to work in the United States, every employer needs to complete a simple two-sided, one-page form within the first three days of hire. It’s called a Form I-9, ‘Employee Eligibility Verification.’ The employer must be provided with the employment eligibility and identity document(s) by the employee, determine whether they reasonably appear to be genuine and record this information on the I-9. The form must be kept by the employer either for three years after the date of hire or for one year after employment is terminated, whichever is later.

Why should employers pay attention to this issue?

ICE was established in 2003 with the emphasis on finding and deporting illegal immigrants. Beginning in 2009, the emphasis has shifted to enforcing employer responsibility to ensure that new hires are eligible to work in the U.S. This has led to a record 2,196 notices of inspections to employers in fiscal 2010, surpassing the prior year’s record of 1,444, and more than quadrupling the 503 inspections in 2008. In 2010, judicial fines and fines for final orders, forfeitures and restitutions came to a total of $43,567,346.

Fines are levied regardless of whether illegal immigrants are found, as in the case of Abercrombie & Fitch stores being fined $1 million for a technologically deficient I-9 record-keeping system.

How does ICE investigate an employer if it suspects employees are working illegally there?

Once ICE begins an investigation, the agency will use confidential informants, cooperating witnesses and electronic surveillance. ICE may also visit the worksite or the homes of employees. ICE uses the following factors when determining criminal liability: if there was a pre-existing immigration compliance program, how widespread the activity was, how high up the complicity of management was, timely voluntary disclosure of wrongdoing and cooperation in the investigation. One of the most serious ICE violations concerns the harboring of persons in the country unlawfully.

What else do employers need to be concerned about regarding this issue?

In addition to strategically shifting from the focus of deporting illegal immigrants to holding employers accountable for noncompliance, ICE has changed its enforcement strategies in other ways:

  • Moving from high-profile, multisite raids to targeting a substantial number of small and medium-sized employers such as restaurants, construction companies and manufacturing plants.
  • Working closely with other government regulators — including the U.S. Department of Labor Wage and Hour Division, the Social Security Administration, the IRS, FBI and state counterparts — in ‘fusion centers’ that cross-train inspectors from other agencies to conduct I-9 audits.

How can employers defend violations and avoid noncompliance?

Businesses should be sure to have a comprehensive immigration compliance and ethics program in place, which comprises of established standards for detecting and preventing criminal conduct, screening of human resources processes, training regarding compliance and ethics for directors and employees, monitoring/auditing compliance programs and appropriate response to violations. Having a reasonable compliance program significantly improves the odds of reducing fines and criminal liability if an employer is found to be noncompliant.

Some other processes to consider:

  • Conduct a self-audit of your I-9 forms.
  • Keep I-9 forms separate from employee personnel files. Also, separate present and past employee forms.
  • Do not accept expired forms from new hires when completing the I-9 form.
  • Re-verify any expiring work authorization documents before they expire. Do not allow employees to work if they have expired documents.
  • Only accept documents from new hires that are on the List of Acceptable Documents and appear to be genuine.
  • If ICE shows up to conduct an audit, ask for a Notice of Inspection and know that you have three business days before you have to turn over your original I-9 forms.

By checking only 14 form attributes, our auditors have been able to consistently find missing or incorrect dates, signatures, IDs referenced and, worst of all, missing forms. Correcting these small errors can save employers from significant fines and even criminal charges.

Kevin W. Smith is a partner at Crowe Horwath LLP. Reach him at (214) 574-1008 or [email protected]

How construction companies can right-size to improve financial performance

Marc McKerley, Partner, Crowe Horwath LLP

When the housing bubble burst, many construction business owners were amazed at the speed and magnitude of decline within their industry. With the slow improvement of the economy this year, and even slower recovery of the housing and construction segments, contractors will continue to feel pressured to find new ways to improve the bottom line.

“Managing your business through these uncharted waters can prove difficult,” says Marc McKerley, partner at Crowe Horwath LLP. “Most all construction businesses have been impacted as almost all market sectors of construction are experiencing a slump.”

Smart Business spoke to McKerley about strategies for construction companies to improve financial viability.

What are the typical problem areas for the contracting industry?

Given the potential for continued difficulties within the industry, it’s valuable to take a look at the significant challenges that contractors have struggled with in the past. An industry consulting study that took place before the recession hit showed that more than 89 percent of the time, declines in shareholder value were primarily attributable to either strategic issues (58 percent) or operational issues (31 percent), including:

  • Lack of a comprehensive business plan
  • Significant changes in ownership and/or
  • personnel
  • Over-expansion
  • Changes in scope or line of business
  • Loss of loyal customers
  • Poor project management
  • Poor estimating and job cost reporting
  • Communication problems

A study conducted by Crowe Horwath LLP and Arch Insurance Group of CFMA (Construction Financial Management Association) contractor members garnered similar results. The survey covered corporate values, strategic vision, mission statement, strategic goals and initiatives, selected industry best practices and key performance indicators. Companies ranging in size and type all found their businesses to be ineffective in the management of people, sales and customer satisfaction, project delivery and risk.

How does this apply to the problems faced by the construction industry today?

Generally, these problem areas can be masked during peak economic times, but will often come to the surface in painful and financially troubling ways during periods of economic decline.

Leaders should re-examine the following areas of their business to identify internal issues that can be repositioned for future success:

Development and execution of business strategy: Defining the company’s mission and strategic direction, understanding customers’ needs, understanding the competition’s strengths and weaknesses, executing strategic initiatives.

Organizational effectiveness: Identifying and developing leaders, establishing a formal succession plan, communicating the company’s strategic direction internally, using effective channels of communication to manage day-to-day operations, having clear lines of authority and accountability.

Human resources management: Appropriately incentivizing employee performance, using technology to measure employee performance through a formal appraisal system, guiding employee development with clearly defined career paths.

Business development and customer satisfaction: Establishing a sales process that builds a sustainable pipeline of new business, using technology to effectively manage sales and customer relationships, measuring customer satisfaction through a survey process.

Operations and risk management: Following defined criteria for selecting which projects to bid, following established procedures for estimating and bidding, pre-qualifying and managing subcontractors, managing and measuring work quality and field productivity, selecting and managing suppliers and other service providers, managing the billing and collections process, managing contractual risk and insurance programs, preventing and detecting fraud, consistently delivering projects on time.

Performance measurement and management reporting: Defining key indicators that drive financial results, using technology to track and report progress (i.e. scorecards, dashboards), reporting accurate financial and project information in a timely manner, utilizing the full capabilities of the technologies deployed by the company.

What should construction businesses consider when attempting to ‘right-size’ their companies?

Even the best managed companies have been forced to ‘right-size’ their business to manage profitability. Construction companies must make a realistic assessment of their financial condition. Look at areas such as underbillings, overbillings, receivables, estimated costs to complete, loans to shareholders and tangible working capital. Also, take a hard look at your business plan and strategies for getting work. Ask yourself: What market sectors do we have sufficient experience in to successfully pursue and complete work? Many contractor failures in recent years have been due to attempts to diversify into niches where they lacked experience.

Right-size your cost structure to match your company’s projected revenue and desired level of income. This should include contingency plans that consider different projected revenue levels; the plans should contain ‘trigger points’ that prompt management into action. Here, positive cash flow is the overall objective.

Keep a close eye on the risk areas that worsen during tough economic times, including owner prequalification and funding verification risk, subcontractor and vendor default risk and contractual risk.

Finally, stay close to both your bank and surety. Now is not the time for surprises. Make sure they understand and agree with your plan and strategies.

Marc McKerley is a partner at Crowe Horwath LLP. Reach him at [email protected] or (214) 574-1009.

Monitoring your property taxes in the economic downturn

Jeff Mills, Senior Manager, Crowe Horwath LLP

With the Texas budget deficit currently projected to exceed $27 billion, local taxing jurisdictions will be relying on the most stable of taxes to help make up this budget shortfall: property taxes.

Property taxes are administered at the local level, as Texas does not have a state property tax. Given that there is an estimated $150 to $250 million deficit in the Dallas Independent School District alone, property owners can expect their property values and tax rates to remain stable, and in some cases increase, despite declining values in the current market.

“The school districts count on property tax revenues to make up more than 50 percent of their funding,” says Jeff Mills, senior manager at Crowe Horwath LLP. “This adds pressure to all parties involved with the appraisal process to ensure that the overall taxable value is in line with their budgeted needs.”

Less than 10 percent of property owners appeal their tax assessments, effectively leaving money on the table when assessments are not in line with the current economic climate. Professional consultants can help taxpayers monitor their taxable values, become educated in the appraisal process, obtain available exemptions and ensure critical dates are met in the appeals process.

Smart Business spoke to Mills about what taxpayers in Texas should know about keeping their property taxes in line.

How is the property tax system structured?

Property taxes are administered at the local level via the county appraisal districts. Boards of directors are appointed by taxing units made up of school, city, county and special district representatives. The board of directors appoints the chief appraiser who oversees the appraisal of all of the properties in the district. The board of directors also appoints the Appraisal Review Board, made up of ‘independent’ citizens that are in charge of hearing appeals when an agreement cannot be reached between the taxpayer and the appraisal district informally. It is of note that the Appraisal Review Board is paid by the appraisal district and appraisers conduct multiple hearings throughout the year often with the same review board members.

How can taxpayers appeal their property tax values?

Frequently, taxpayers don’t understand the process of how to appeal their values. By the time tax bills are received, the deadline to appeal has already passed.

Properties are assessed as of January 1 of each year based on the ‘fair market value’ of the property: typically the price at which a property would transfer for cash or its equivalent under prevailing market conditions. Assessments notices are sent out in early May, but have been known to be mailed out much later. This is a crucial component of the appeal process, as a taxpayer only has 30 days to appeal from the date of the receipt of the assessment notice, or May 31, whichever is later. Not receiving an assessment notice or not knowing the critical dates may cause taxpayers to forfeit normal appeal rights. Other means of appeals can be very time-consuming and costly.

Once a timely appeal is filed, the taxpayer is required to receive 15 days’ advance notice before the hearing is scheduled to occur. Failure to receive notice is not necessarily grounds for rescheduling a new hearing.

How can people make sure they’re not paying more than their fair share of property taxes?

Whether you collect market data on your own or hire a property tax consultant, be prepared with an opinion of market value for your property and thorough support when challenged. Even if your assessed value stays the same or decreases slightly, the overall tax liability could still be higher. Tax rates are not set until October, several months after the protest deadline. It’s rare that the taxing units will vote to decrease their respective rates, especially during the kind of budget constraints they’re facing now.

Also, for owners of business and personal property, be aware that filing your fixed asset schedule in its entirety may cause an over-inflated assessment of market value. Conducting a fixed asset review may uncover several assets that are being assessed at a higher value due to lack of description on your asset ledger. In many cases, assets can be shifted to a faster depreciable life. A review can also help to identify ‘ghost assets,’ which are assets no longer located at the facility that have failed to be removed from the ledger.

What else should people know about saving on their property taxes?

Homeowners and business owners should understand or ask their advisers about the various exemptions available to them:

  • Homestead exemption
  • Freeport exemption (inventory shipped out of Texas)
  • In-transit inventory (inventory passing through the state and protected under the Commerce Clause)
  • Pollution control equipment
  • Agricultural exemption
  • Abatements — Property tax abatements do not include the school district portion of the property tax, which is the largest portion. Opportunities may exist to recoup a sizeable portion of this tax.

When in doubt, hire a licensed tax consultant; many will not charge a fee unless they are successful in reducing the assessed property value. These professionals have access to market data for various types of properties, and have experience with identifying savings opportunities and managing the appeals process. The No. 1 reason that taxpayers don’t achieve a reduction in a hearing is lack of preparation and support. I’ve seen numerous cases where taxpayers are trying to make an argument without knowledge of how their property is assessed.

While current market conditions may warrant a reduction in your appraised value, don’t expect a lower tax liability without knowing your rights, and appealing your values.

Jeff Mills, CMI, is a senior manager in the National Property Tax Practice at Crowe Horwath LLP and a licensed senior property tax consultant in Texas. Reach him at (214) 574-1037 or [email protected]

How to designate roles and responsibilities in an effective enterprise risk management program

A truly effective risk management program will require support from the top.

It’s well known that lack of strategic oversight played a part in the disastrous collapse of many sectors of the economy. While corporate America is certainly more aware of the need for tighter controls, the possibility of major crises continues to loom.

To uncover the general attitudes, efforts and concerns of corporate executives surrounding their own financial and operational oversight, Crowe Horwath commissioned a research study to determine CFOs’ perspectives on enterprise risk management (ERM).

The study revealed some surprises: namely, a lack of understanding and support within many corporations for effective ERM as well as ambiguous roles and responsibilities of different individuals and groups in developing and maintaining controls.

Smart Business spoke to Rick Julien, a partner at Crowe Horwath LLP, to learn more about the survey results and what businesses can do to overcome their own barriers to effective risk management. A new development includes an innovative approach to establishing ERM process roles and responsibilities.

What were the biggest challenges identified in the survey?

The most frequently cited concerns surrounded the fundamental questions of just what ERM involves and who is responsible for ensuring that the process is effective. Most businesses lacked in: ‘managing risk across the entire company,’ ‘improving financial reporting’ and ‘improving internal controls.’ These challenges become particularly daunting when you consider that more than a third of these executives said their companies showed a ‘lack of shared understanding and approach to risk management across business units.’

Considering that ERM is still an evolving process at many organizations, this lack of understanding is not surprising. The complexity of ERM also adds to the governance challenge. The integrated ERM model introduced in 2004 by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission organizes risk into four general categories: strategic, operational, reporting and compliance. Each is then defined along a scale that addresses eight stages of ERM maturity; this system is often far too complex for most organizations’ needs.

In most companies, a variety of risks are already being managed in diverse ways. Non-integrated risk management activities may be effective in their limited scope, but there is often no link to broader business strategies.


What do businesses need to do to improve?

A truly effective risk management program will require support from the top. Corporations’ finance executives need to work with C-suite colleagues and boards of directors. Executives also need buy in from business unit managers, audit committees and internal audit teams when developing and executing risk management policies.

Key executives must reinforce and support the role of the chief risk officer or ERM leader and, above all, link the ERM process to other management activities, especially strategic planning and budgeting. ERM activities must be a part of overall good governance processes of the board and organization as a whole.

How should businesses set up leadership roles and responsibilities for ERM?

Organizations must define governance roles with greater precision and differentiate clearly between company activities and board responsibilities. While every organization is different in its needs and structure, a successful ERM governance model will often involve a risk management council and an ERM leadership team.

The risk management council provides executive leadership and reports to the CEO. The council should include senior level executives, who would oversee ERM strategy and infrastructure as well as define the organization’s appetite and tolerance for risk. The council would also monitor and report significant risks, ensure corporate strategy is risk-responsive and provide direction and oversight to the chief risk officer and ERM leadership team.

The ERM leadership team should be led by the chief risk officer or ERM leader and should include some members of the risk management council as well as compliance risk officers and representatives from individual business units. It will oversee the actual execution of ERM-related activities and implement the appropriate ERM infrastructure, which should include a common risk model and definitions, a consistent method of risk assessment, and risk documentation procedures and standards.

Rick Julien is a partner at Crowe Horwath LLP. Reach him at (214) 574-1000 or [email protected], or visit the company’s website at

How to navigate recent tax changes to prepare for year-end planning

Catherine Fox-Simpson, Partner, Crowe Horwath LLP

When conducting year-end tax planning, organizations will need to be cognizant of changes resulting from recently enacted federal tax laws. Specifically, companies will be interested in changes related to tax credits and new compliance requirements.

With tax provisions about to expire and uncertainty remaining regarding further 2011 tax law changes, businesses are left with several what-if scenarios to consider during the planning process.

Smart Business spoke to Catherine Fox-Simpson of Crowe Horwath LLP about the federal tax law changes that businesses should consider when conducting year-end tax planning.

What positive changes should businesses take advantage of this tax year?

The HIRE Act was enacted on March 18, 2010, to jumpstart hiring and investment in the work force; it benefits all businesses, including nonprofits. The act provides two new tax benefits to employers who hire previously unemployed workers: payroll tax forgiveness and an employer income tax credit of up to $1,000 for retention of qualified new hires.

The HIRE Act also extends expired provisions from 2009, increasing the amount a business can expense under Section 179 for 2010.

What tax relief will the Small Business Jobs Act of 2011 provide?

Signed into law by President Obama on Sept. 27, 2010, the act impacts businesses eligible to claim Section 179 expenses and those that made capital expenditures in tax years beginning in 2010 or 2011. Small businesses receive an increase in their expensing limit to $500,000, with phase-out beginning at $2 million.

Additional benefits for small businesses include reduced recordkeeping requirements for the deduction of employer-provided cell phones and deductions for health insurance costs when calculating self-employment tax. In addition, the carry-back period for eligible small business credits will be extended from one to five years beginning with the 2010 tax year.

The act also eliminates capital gains taxes for those investing in small businesses.

Many of the relevant provisions in the act do not require action by a specific date in order to claim the benefits, although it’s still unknown if some provisions will extend beyond 2010.


What other changes can businesses expect in 2011?

Potential tax increases include:

  • The two highest marginal tax rates will increase from 33 to 36 percent and from 35 to 39 percent.
  • The tax rate on qualified dividends will rise from 15 percent to a maximum rate of 39.6 percent, meaning they will be taxed as ordinary income.
  • The maximum tax rate on long-term capital gains will rise from 15 to 20 percent.
  • The estate tax will be restored at a higher rate.

President Obama has also made the following proposals:

  • Companies would be allowed to write off 100 percent of their new investment in plants and equipment through 2011 — retroactive to Sept. 8, 2010.
  • The research credit would be expanded from 14 to 17 percent and made permanent.
  • The EGTRRA tax cuts for the middle class (under $250,000 AGI) would be permanently expanded.

What tax planning strategies should businesses implement for the 2010 tax year?

With the dividend rate increasing in 2011, corporations may consider issuing a dividend to maximize shareholder value. Companies should evaluate dividend plans to ensure that the dividend qualifies for the reduced tax rate.

Domestic manufacturers, agricultural producers, energy producers and construction companies should look into any domestic production deduction opportunities and complete any planning before the end of the current year. The deduction is 9 percent of a business’s qualified production activities for income tax years beginning in 2010 and effectively reduces the corporate income tax rate on domestic manufacturing income by 3 percent.

Businesses may defer the recognition of certain cancellation of debt (COD) income realized in calendar years 2009 and 2010 until 2014, in which case they will begin recognizing the income ratably over a period of five years. The reacquisition of a debt instrument by the lender must occur between Dec. 31, 2008, and Jan. 1, 2011.

Are there new reporting requirements that businesses should know about?

Beginning in 2010, corporations with audited financial statements will be required to file Schedule UTP to report any uncertain tax positions recorded on their financial statements. Pass-through entities are not required to file this form for 2010, but that may change in the future. Reporting is phased in over the next five years, but for 2010 it is required for companies with assets greater than $100 million.

Catherine Fox-Simpson is a partner with Crowe Horwath LLP. Reach her at [email protected] or (214) 574-1013, or visit

How to establish a progressive internal audit program that covers all the bases

Larry Rieger, CPA, Partner, Crowe Horwath LLP

The internal audit: It’s a necessary part of conducting business that, done right, can at once assess operations, identify areas for improvement, manage risks and help maintain compliance. Now more than ever, audit committees, chief financial officers and other stakeholders need greater assurance that internal controls and risk management procedures are effective and efficient.

Internal auditors can help restore stakeholder confidence and reduce the cost of the audit process by adopting four key principles of a more progressive internal audit model, says Larry Rieger, a partner at Crowe Horwath LLP.

Smart Business spoke to Rieger about deriving greater value from an internal audit function that is more central to building financial and operational excellence with confidence.

What are the main concerns that may not be addressed by current audit models?

Crowe Horwath LLP and partner organizations commissioned a set of three surveys to determine whether companies’ internal audit groups were meeting current business needs. In the survey, stakeholders indicated that internal auditors excelled in reviewing financial controls and transactions and testing past events; what was lacking was the ability to inform stakeholders of the company’s current status and what should be done to improve in the future.

Most audit committee members (75 percent of the respondents) echoed the stakeholders’ concerns by stating that risk management practices were an integral part of a company’s ability to avoid and/or plan for surprises. The ideal audit model would not just provide for traditional compliance audits but would address these concerns surrounding assurance, business performance processes and risk management efforts.

What specific changes should internal audit departments make?

Auditors will need to be smarter about where they spend their time by relying more on automated tools and using workflow methods that allow them to focus on the high-level controls.

  • Leveraging the work of others is one way that internal auditors can be more efficient with their processes and time. They can rely on the monitoring metrics and reporting that business managers are already using to manage their operations. Internal auditors can determine which of these reports they can accurately use during assurance audits and home in on the areas where problems are indicated.
  • When businesses are better managed, process owners can be held accountable for developing and owning controls at the business level and the internal auditors are unburdened. Internal auditors are then able to focus more on the principles of the new internal audit model.
  • Audit executives must focus resources on the constant review and enforcement of the four principles. Managing resource demands wisely allows for internal auditors to address areas of high and emerging risk while also providing continuous coverage to the principles of the new audit model.


What are the four principles of a progressive internal audit model?

Compliance: This traditional internal audit role can be streamlined through closer collaboration with management. Audit departments can save time and resources when testing past events and transactions to determine compliance with laws and regulations by taking advantage of reports that managers already use to monitor controls in their unit.

By relying on the work of business unit managers as a starting point, auditors can focus on the issues that are red-flagged during the audit of the control processes. For example, reports generated by a business’s IT department can help auditors to determine whether control processes in place sufficiently safeguard security and adequately provide for an appropriate segregation of duties.

Assurance: Continuous monitoring systems generating real-time reports allow anything outside the bounds of tolerance to be detected as early as possible. By regularly reviewing control reports generated by a system, auditors can provide a level of continuous assurance that supports stakeholder confidence that everything is under control at all times. For example, if expenses in a certain business unit are out of line, the monitoring system at the business-unit level would send an e-mail to the appropriate person. Or, the accounts of delinquent customers could be flagged so that no new sales would be made to those customers.

While a continuous monitoring system does require an upfront investment, it pays off by lessening the burden on the internal auditors’ resources, allowing them to focus on the high-level items.

Business performance improvements: An area that is often lacking in the audit function is the ability to actually improve business operations. By identifying problems, and then taking it a step further by recommending ways to improve, the internal audit can and should add value to the organization as a whole. Comparing their reports to benchmarks and best practices, auditors have the knowledge to support such recommendations as shifts in resources or operating procedures, or new technology investments.

Risk identification: Again, auditors can tap into information that already exists in business units — this time regarding each unit’s own risk-management activities that are already in place. This makes the process of ongoing monitoring of risk less time-consuming and more integrated. Key risks are always changing; stakeholders require as much knowledge as possible concerning the company’s risk exposure as a whole within a business environment that is constantly in flux.

Larry Rieger, CPA, is a partner at Crowe Horwath LLP. Reach him at (214) 574-1000 or [email protected]

What service organizations need to know to prepare for the new SSAE 16 requirements

Arshad Ahmed, CPA, CISA, Partner, Crowe Horwath LLP

Reporting requirements for service organizations are about to change, which will require affected companies to devote additional time and resources in order to comply. Statement on Standards for Attestation Engagements No. 16 (SSAE 16), “Reporting on Controls at a Service Organization,” was issued April 2010, to bring the U.S. reporting standards for service organizations closer to those of the International Federation of Accountants (IFAC) and the International Auditing and Assurance Standards Board (IAASB).

Organizations already familiar with Sarbanes-Oxley, the Model Audit Rule and other controls-based audits and reporting requirements will have an advantage during the transition, but all service organizations should begin preparing for the new requirements soon as the deadline for adopting them is quickly approaching.

Smart Business spoke with Arshad Ahmed, CPA, CISA, of Crowe Horwath LLP, about how companies can take steps now to apply the standards in the most efficient manner.

Why was SAS 70 replaced?

The IFAC and the IAASB adopted International Standard on Assurance Engagements (ISAE) 3402 in December 2009, which is the first standard the international community has established on issuing reports on controls at service organizations. Here in the U.S., since 1992, service organizations — third-party vendors such as data processors, third-party administrators and fulfillment houses — found their guidance from the AICPA Statement on Auditing Standards (SAS) No. 70, ‘Reports on the Processing of Transactions by Service Organizations.’ When the Auditing Standards Board (ASB) sought to bring its standards closer to those of the IFAC and the IAASB, it signaled the end of SAS 70.

The changes will apply to reporting periods ending on or after June 15, 2011, with an option for early adoption. Many companies will need to submit required documentation to their independent auditor by the fall of 2010.

What are the main differences between SAS 70 and SSAE 16?

A report done under the guidance of SSAE 16 will require management to provide an assertion on their controls when the auditor is engaged, as the auditor’s opinion will be focused on management’s assertion.

Once the auditor is engaged, the scope of the report can only be altered if there is a ‘reasonable basis’ for the change such as discontinued operation of a segment or line of work or implementation of a new service offering. The determination by management that an area may not successfully pass testing would not be a reasonable basis for a change in scope.

In addition, the service organization will need to identify the potential risk of each control objective not being achieved, and determine the controls and activities the service organization has established to help ensure that the control objectives are achieved. Other major differences include:

  • A more robust description of the system
  • More information regarding significant changes to the system and controls during the time frame for type 2 reports
  • An auditor’s report that covers the design of controls throughout the time frame rather than on the last day of the time frame as required under SAS 70

The look and feel of the report largely remains the same. There will be an opinion, a description of the environment provided by the service organization, control objectives, a section detailing the controls the auditor tested and how they were tested, and the results of their testing that support the control objectives, user control considerations and other information provided by the service organization.


How can organizations best prepare?

Begin with establishing a framework and basis for providing the management’s assertion. As the start of the reporting period approaches, define the scope of the report (systems, processes, services it covers) and provide the scope and control objectives to the external auditor, along with the management assertion and a summary of systems.

Throughout the reporting period, cooperate with the auditor by reporting any system changes and continue with the validation of controls through monitoring activities and/or testing. Consider changes in scope only if there is a ‘reasonable basis’ for the change.

Companies will also need to engage any third-party vendors and inform them of the new requirements in order to coordinate the preparation of the management assertions.

Once management identifies the start date of the next reporting period, it should quickly take steps to line up the necessary resources to handle the greater workload that compliance requires.

Are there other reporting options?

A service organization could have an AT 101 or AT 601 report issued. These reports are opinions on management assertions but do not have the same restrictions as an SSAE 16 report. The subject matter of the assertion could be any control or process of the organization; it is not limited to the financial controls the service organization’s customers’ financial auditors would be concerned with in conducting their financial audit. Both AT 101 and AT 601 reports could include additional information similar to that provided under an SSAE 16 or SAS 70 report. However, the opinion on management’s assertion is more limited under AT 101 and AT 601.

We anticipate some organizations providing both an SSAE 16 and AT 101 report as their customers want information to complete elements of a vendor compliance program, and typically such programs require more information than just elements that would be considered under a financial audit.

Arshad Ahmed, CPA, CISA, is a partner with Crowe Horwath LLP. Reach him at (214) 574-1000 or [email protected]