The Transition from SAS 70 to SSAE 16
How service organizations and their auditors can make the transition from SAS 70 to SSAE 16.
New attest standards go into effect on June 15, 2011, and the auditors of service organizations will have to change the way they report to their clients and their clients' customer organizations.
Service organizations that perform business services that impact their customer's financial internal control environments typically undergo a SAS 70 examination - for example, outsourced payroll services - will have to meet expanded reporting requirements under the new attest standard, says Sumit Kalra, a director in the San Jose office of Burr Pilger Mayer.
"Initial and ongoing additional effort is required to comply with the new professional attest statements," he says.
Smart Business spoke with Kalra about the key changes to service organization reporting standards and what service companies can do now to ensure a smooth transition.
What is the SAS 70 standard and how is it changing?
Statement on Auditing Standards (SAS) No. 70 was issued by the American Institute of Certified Public Accountants (AICPA). It is currently the de facto standard utilized to report on internal controls of a service organization that are relevant to financial reporting of their customers. The resulting report is produced by the service organization's auditor to communicate with its customers' auditors. The report is used by the customers' auditors to gain an understanding of the internal controls that may be relevant to a client organization's internal controls as it relates to an audit of financial statements.
For the auditor of the service organization, SAS 70 standard is being replaced with Statement on Standards for Attestation Engagements (SSAE) 16. The AICPA released SSAE 16 in April 2010, and the standard is effective for report periods ending on or after June 15, 2011. Early adoption is permitted to allow companies to phase in compliance and avoid a last-minute rush.
What are the key changes in the new standards?
Under the new attest standards, auditors of service organizations will be required to include in the report their clients' written assertion outlining their responsibilities related to fair presentation of their systems, suitability of design and operating effectiveness to achieve the control objectives as they relate to financial reporting. However, if the organization renders a service that does not impact the financial reporting of its customers, based on the new guidance within SSAE 16, its auditors might find themselves reporting under the AICPA guide to be published in early 2011, titled 'Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.'
Service organizations will also be required to disclose in the report issued by their auditors the suitability of the design criteria used to make the assertion and will need to perform a risk assessment to identify the risks and considerations for materiality that threaten the achievement of control objectives stated in management's description of the system.
What are the factors driving the change?
The AICPA decided it was a good time to update and converge U.S. standards with the international standards, bringing them both in line. The key driver was the recently published international standard on Assurance Engagements 3402 (ISAE 3402) by the International Auditing and Assurance Standards Board's (IAASB). ISAE 3402 was developed to provide an international standard for auditors to report on service organizations' internal controls that are relevant to their customers' controls over financial reporting.
Due to globalization of outsourcing, service organizations can now direct their auditors to perform their attest engagement under either or both SSAE 16 or ISAE 3402 standards, based on their customers' reporting needs.
What can a business do now to prepare for the change?
Service organizations and their auditors will have to update existing reports to conform to the new requirements. The process will involve service organizations engaging with their customers to understand their reporting needs, SSAE 16 and/or ISAE 3402, and engaging them in the planning stage; updating contracts that explicitly state SAS 70; creating and implementing a risk assessment process; writing their assertions and adding them to the reports; updating representation letters to reflect new requirements; and updating specific sections of the report to reflect the new requirements. In addition, the service organization will have to corroborate with its legal counsel, customer operations, sales and other relevant members of its management team to apply the new requirements properly.
User organizations (customers) will also have to know the report they need and whether it satisfies their external auditors' needs in a financial statement audit. Customers receiving these reports should discuss with their auditors the implications of a change to SSAE 16/ISAE 3402. Subsequently, customers should communicate the specific needs of their circumstances to the service organization prior to the start of the period for consideration in the next report.
Essentially, all parties will have to get organized in terms of the new requirements, plan the transition, educate impacted stakeholders and implement the changes.
Addressing this change can be challenging and you don't want to wait until June 15, 2011, to get started. In addition, service organizations should consider employing external advisers to assist with the implementation of the changes. External advisers can use their knowledge of the standard and internal controls background to minimize the impact, time and effort it takes to implement the change.
