Getting ready for SSAE 16 (Service Organization Control) 

SAS 70, the reporting of internal controls at service organizations is about to change, and will require service organizations to devote additional time and resources in order to comply.

The new guidelines are now under the Statement on Standards for Attestation Engagements No. 16 (SSAE 16), "Reporting on Controls at a Service Organization," which was issued April 2010. This was intended to bring the U.S. reporting standards for service organizations closer to those of the International Federation of Accountants (IFAC) and the International Auditing and Assurance Standards Board (IAASB).

The changes will apply to reporting periods ending on or after June 15, 2011, with an option for early adoption.

Why was SAS 70 replaced?

The IFAC and the IAASB adopted International Standard on Assurance Engagements (ISAE) 3402 in December 2009, which is the first standard the international community has established on issuing reports on controls at service organizations. Here in the U.S., since 1992, service organizations – third-party vendors such as data processors, third-party administrators and fulfillment houses – found their guidance from the AICPA Statement on Auditing Standards (SAS) No. 70, 'Reports on the Processing of Transactions by Service Organizations.' When the Auditing Standards Board (ASB) sought to bring its standards closer to those of the IFAC and the IAASB, it signaled the end of SAS 70.

What are the most important requirements under SSAE 16?

Management will need to provide the auditor with a written assertion to be included in the service auditor's report. The written assertion should state the following:

• Management's description of the service organization's system fairly presents the service organization's system that was designed and implemented as of a specified date (or for a Type 2 – throughout the specified period);
• The controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives as of the specified date (or for a Type 2 – throughout the specified period);
• The controls related to the control objectives stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives (Type 2 only).

With the new SSAE 16, the service auditor will now make an attestation on these management assertions. The service auditor will assess whether management has used suitable criteria:

• In preparing its description of the service organization's system;
• In evaluating whether controls were suitably designed to achieve the control objectives stated in the description; and
• In the case of a Type 2 report, in evaluating whether controls operated effectively throughout the specified period to achieve the control objectives stated in the description of the service organization's system.

How do I prepare for SSAE 16?

1. Re-evaluate Scope of Report

Service organizations need to perform a review of the description of controls to ensure that it address all major aspects of the service provided and includes in the scope of the engagement. Is the description prepared at a level of detail that could reasonably be expected to provide a broad range of user auditors with sufficient information to obtain an understanding of the internal control structure?

2. Identify Risks that Threaten the Achievement of the Control Objectives

The service organization needs to perform a risk assessment of its control objectives to identify what events may threaten the achievement of the control objectives stated in the description. The service organization also needs to design suitable controls that are operating effectively and provide reasonable assurance that the control objectives will be achieved.  

3. Identify Key Controls

• Identify the key controls that mitigate the risks that threaten the achievement of the control objectives ·        
• Inquire of Risk Owners to understand what controls they utilize to inform them when the respective risks are not being mitigated
• Evaluate whether the key controls can be addressed through monitoring controls (e.g., Internal Audit review), the performance of existing controls (e.g., quarterly access review), or require a separate testing effort

4. Identify Sub-service organizations from whom Management Assertions will be required

Management should consider if any sub-service organizations need to develop assertions of their controls that impact the service organization's internal controls structure. If an assertion is not provided from the sub-service organization then the inclusive method cannot be used.

What must be in the assertion?  

The previous four steps discussed above will help the service organizations to develop their assertions which will be included in the service auditor's report. Management should be able to provide evidence they used suitable criteria to assess:

• Fairness – How did you determine that the description addressed all of the required elements?
• Design – How did you identify the risks that threaten the achievement of the control objectives and how did you identify the key controls that mitigate those risks?
• Operating effectiveness – How do you know that the key controls were operating with sufficient effectiveness to achieve the control objectives?

• Home
• About
• Practice Areas
• Expertise
• Press
• Careers
• Contact
• Employee Log-in
• Terms and Conditions
• Privacy Policy
• Site Map
 

• Solutions@MBAF
• Fiscal Management Associates

• Miami
• New York
• Baltimore
• Boca Raton
• Boulder
• Fort Lauderdale
• Orlando
• Valhalla
• India

©2012 Morrison, Brown, Argiz & Farra, LLC. All Rights Reserved.