Where networking and knowledge intersect.
Pritam Bankar, CISA, CISM and Harmeet Kaur, CEH
An increase in the use of technology has led to an enormous growth in user organizations outsourcing to service organizations. The Statement on Auditing Standard [SAS] No. 70 and the new Statement on Standards for Attestation Engagements (SSAE) No. 16 are applicable when a user organization outsources a business task or function to a service organization, impacting the user organization’s financial statement.
This article highlights the need for SSAE 16, the notable differences and similarities between SSAE 16 and SAS 70, and estimates the effort required to transition to the new standard.
SAS 70 is an auditing statement put forth in 1992 by the Auditing Standards Board (ASB) as designated by the American Institute of Certified Public Accountants (AICPA). It is used to report on the processing of transactions by service organizations, which can be done by completing either a SAS 70 Type I or a Type II audit.
SSAE 16 is an attestation standard issued by the ASB. It closely mirrors the international standard on reporting for service organizations, ISAE 3402. SSAE 16 is set to replace SAS 70. The SSAE 16 standard must be used for any service auditor report for periods ending on or after 15 June 2011.
Neither SAS 70 nor SSAE 16 can certify an organization. The SSAE 16 report is primarily an auditor-to-auditor communication with the purpose of providing a holistic view of controls at the service organization as applicable to the user organization.
The US Sarbanes-Oxley Act is mandated for all publicly traded companies operating in the US. Compliance with Sarbanes-Oxley requires management to provide assertions on the organization’s internal controls over financial reporting. This was not accounted for in SAS 70.
In addition, SAS 70 received global adoption over a period of time, even though it was developed with a primary focus on US organizations. However, the controls were in line with the auditing standards of the AICPA, a US-based organization, and there was a need to scale SAS 70 up as an international standard for global adoption. SSAE 16 is closely linked to ISAE 3402, the international standard on reporting for service organizations.
The following describes the changes and differences between the two standards (figure 1).
Change in TypeSSAE 16 is an assertion standard, whereas SAS 70 was an auditing standard. This change was made to help service auditors eliminate certain inconsistencies that resulted from mixing the service organization reporting standard with financial audit guidance. According to AICPA, examining controls in an organization should be considered an attestation of the standard, not an audit. An attestation is a type of engagement in which the attester provides a report that has been prepared in conformance to the appropriate criteria. It assesses the degree of correspondence between the assertions and the established criteria. On the other hand, an audit involves an auditor providing an independent opinion about whether the asserter has prepared the reports in conformance to the applicable criteria.
Change in RequirementSSAE 16 requires management’s written assertion, which was not a mandate in SAS 70. By written assertion, AICPA mandates management to own the explicit responsibility for the content of the report description, including the controls and control objectives. It also represents management’s communication to the customer, auditors and others that the controls in the report are designed adequately and outline the operative effectiveness of the controls. This assertion should have a reasonable basis, which can be taken from a variety of sources, such as operational monitoring, internal audits and compliance activities.
The assertion should cater to management’s responsibility for the fair presentation of the description of the organization’s controls and for establishing and maintaining those controls. It should also include management’s belief that controls are suitably designed to achieve the control objectives specified in the description of the system controls.
The written assertion should be placed on company letterhead and should be made available, along with the SSAE 16 report, for auditors and management.
Change in Reporting MethodologySSAE 16 requires description of the system, rather than description of the control. SSAE 16 mandates management to provide a description of the systems present in the organization. On the other hand, SAS 70 mandated description of the controls. In SAS 70, there was no standard set of controls and guidelines to identify the controls. Management had to determine the applicable controls to be evaluated, with the fair chance of missing critical controls.
SSAE 16 does not explicitly mention how the system is to be documented and to what extent. However, the term system is said to include the description of services provided, along with the supporting processes, policies, procedures, personnel and operational activities.
Change in Using ReportsSSAE 16 mandates disclosure requirements for use of internal auditors, which is not mandated in SAS 70. Internal audit is an integral part of every organization. In SSAE 16, service auditors can leverage internal or other independent control audit reports for assessment purposes, but should disclose their use in the service auditor’s report.
Change in Type of ReportsTime consideration for reports changes in SSAE 16. SAS 70 audit reports are of two types: Type I and Type II. Under SAS 70, a Type II report set out the auditor’s opinion regarding the operating effectiveness of a service provider’s controls at a specific point in time (typically the end of the measurement period); an SSAE 16 Type II report requires the auditor to provide operative effectiveness over the entire period of testing. In SSAE 16 Type II engagements, the auditor’s opinion covers the effectiveness of controls over a specific period, rather than as of a specific date, as is the case in SAS 70.
Change in AudienceWith SSAE 16, the audience changes from user to auditor. SAS 70 was developed as a mode of communication for the service auditor to share audit work papers with the user auditor, who then relied on this work for planning and executing the financial statement audit, whereas an SSAE 16 report is an auditor-to-auditor communication and is designed for user auditors, management of service organizations, management of user organizations and service auditors.
SSAE 16 represents a needed evolution to increase the usefulness of service organization reports. Even with the introduction of SSAE 16, management can still leverage existing documentation, with certain modifications, to satisfy SSAE requirements. The new standard does not significantly change the overall controls reporting process. With the proper transition and planning, the overall impact to the service organization should be minimal.
The new SSAE16 standard still does not specify or provide guidelines for specific control objectives, for which service auditors should reference COSO or COBIT.
Pritam Bankar, CISA, CISM, is a lead consultant within the Infrastructure Management Services group of Infosys Ltd. He has more than seven years of experience and has led several IT strategies consulting engagements in the area of information security, IT/IS audits, compliance and regulations, and IT governance. He is part of the IT controls and compliance practice, leading various compliance service offerings.
Harmeet Kaur, CEH, is a consultant with Infosys Ltd. She has five years of experience in conducting assessments on industry best practices, standards and regulatory compliance.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.