Statement on Auditing Standards No. 70, Service Organizations (SAS 70) has served as the standard for service organizations’ internal control over financial reporting since 1992. After the passage of the Sarbanes-Oxley Act in 2002, utilization of SAS 70 has occurred on a much greater basis.
A new standard - SSAE No.16 - has been issued that will replace SAS 70 effective for reports covering periods ending on or after June 15, 2011. Early adoption is permitted.
This E-Focus provides RubinBrown clients and contacts insight into the basic details related to the new standard.
SSAE No. 16
The American Institute of Certified Public Accountants (AICPA) Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization in January 2010. SSAE No. 16 supersedes SAS 70.
The new standard will require changes to the report, as well as the reporting process for the service organization. The required changes could be significant for some service organizations.
Changes for the service organization
With SSAE No. 16, the service organization will be required to provide a description of the system. The system will be more encompassing than the description of the controls included as part of SAS 70.
The new description will provide more information related to the people, processes, and technology in place to achieve the control objectives. The description will also include more information on the classes of transactions being processed.
Another significant change is the requirement that the service organization provide a written assertion that will be a component of the report. The assertion by management will indicate its responsibility for the accuracy of the description of the system and the evaluation criteria for the basis of making the assertion.
Responsibility changes for the service auditor
The new standard requires some changes for the service auditor; however, they are not significant. First, SSAE No. 16 is an attestation standard rather than an audit standard. This change will help to remove inconsistencies with audit guidance.
Second, when using the work of internal audit on a Type 2 report, the new standard will require the service auditor to describe the procedures performed by internal audit and the steps taken to test the completed work.
Changes for entities using a SAS 70 (SSAE No. 16)
As these changes are implemented, it will be a good time to re-visit the SAS 70/SSAE No. 16 reports you rely upon to understand the new description of the system and the new management representations. Take time to understand how these changes relate to the environment you are relying upon.
Service organization considerations for SSAE No. 16
Now is the time to start thinking about what needs to happen in order to implement the new standard.
Consider the following:
- Contact a service auditor to discuss the new standard
- Determine the implementation date for your organization
- Understand the management representation
- Create a project plan
- Create a change management plan – clients/customers
- Identify changes to the description of system and understand their impact
- Identify changes in controls and operating effectiveness
RubinBrown's Audrey Katcher currently serves on the AICPA Data Integrity Task Force. Through roles such as this, RubinBrown professionals maintain a current working knowledge of the new standards and are ready to help your organization through the transition.
Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein.