Just when you thought you had SAS 70 audits all figured out, along comes the new SSAE 16 assessment standard. If your company must undergo SAS 70 audits, then you will need to understand the new standard that replaces the SAS 70 standard. The SSAE 16 standard superseded the SAS 70 standard on June 15, 2011. Any auditor’s report produced after that date must conform to the new standard.
What is SSAE 16, and to Whom Does it Apply? SSAE 16 applies in the same fashion as SAS 70. If your company provides services to publicly-traded companies registered with the Securities and Exchange Commission, you may need to produce an “Independent Service Auditor’s Report on a Description of a Service Organization’s System and the Suitability of the Design of Controls” in accordance with the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 16 (SSAE 16). Whew! Those of us without the lung capacity of a competitive swimmer simply refer to it as an SSAE 16 assessment. Companies providing services such as payroll processing, benefits administration, and claims processing, among other professional services, may be asked to provide their customers with a copy of their SSAE 16 assessment report. Do you sell a Software-as-a-Service or “Cloud” offering to publicly-traded companies? If you do, you are a service organization, and may be subject to this requirement.
Tell me Again… Why Must I do these Assessments? What happens when a publicly traded company exerts poor control over the accuracy of their financial statements? Enron happens. Not only Enron, but other horrors you may recall from splashy accounting scandal reporting. In response, the Sarbanes-Oxley (SOX) Act holds officers of publicly-traded companies responsible for the fairness and completeness of their company’s financial statements. The quality of these statements depends on a company’s internal controls. These controls are processes designed to meet objectives for financial reporting reliability, operational effectiveness and efficiency, and compliance with applicable laws and regulations. The SOX act requires that signing officers evaluate their controls and report any deficiencies. Your company may not be publicly-traded. However, if your company’s services could impact the financial statements of one of your SOX-affected customers in any way, then your company’s internal controls impact that customer’s controls. Remember, SOX requires companies to make complete and accurate assertions about all controls that keep their financial reporting honest. So how could your customer’s officers attest to the quality of your controls? Without SSAE 16 assessments, the choices would be daunting. The customer could: 1) audit your controls sufficiently to make assertions about their quality, 2) take charge of your controls, or 3) state that your unknown controls are a possible weakness in their own. These options have obvious drawbacks. No publicly-traded company wants to go on record admitting to inadequate controls. On the other hand, it would be hard to audit every service provider one does business with, or to take charge of their controls. Similarly, service providers with multiple SOX-affected customers could go out of business responding to an onslaught of customer audits. The SSAE 16 assessment is designed to solve these problems. A service provider can choose to undertake its own SSAE 16 assessment, and then simply provide a copy of the SSAE 16 auditor’s report to any of their customer’s auditors who request it. Because it’s an “auditor-to-auditor” report, your customer’s auditors can rely on the report to verify the quality of your controls, without having to assess you themselves.
What has Changed with the SSAE 16 Standard?
Management Attestation SSAE 16 is an attest standard, not an audit standard. This is an accounting standard technicality. It relates to the SSAE 16 assessment requirement that your management will attest in writing to the fair presentation and design of controls. Under the previous SAS 70 standard, only the auditors reported on controls; the company’s management was not required to make any attestations. This attestation is the main difference between SAS 70 and SSAE 16. Under SAS 70, your company’s management provided representations in the form of a signed management representation letter given to the auditors prior to issuance of the SAS 70 report. The letter was not included in the actual report, however. Your “system,” in the language of the SSAE 16 standard, is the system that delivers your services and the controls and activities that support service delivery. Management’s attestations, included in the SSAE 16 report, are based on their description of their system. Management will attest:
· That management’s description of the system fairly presents the system that was designed and implemented during the period covered by the assessment (for a Type II) or at a point in time (for a Type I), · That the controls related to the control objectives stated in that description were suitably designed during that period (for a Type II) or at that point in time (for a Type I) to achieve the control objectives, and · For Type II assessments, that the controls operated effectively throughout that period to achieve the control objectives.
The auditors will examine your company’s controls to determine their own opinion on these matters. The fact that management must now make these attestations further highlights management’s full responsibility for the controls in operation. This also better aligns SSAE 16 with SOX. Because SOX-affected companies’ management are held accountable for the veracity of their financial report attestations, SSAE 16’s attestation requirement for service organizations keeps the same kind of accountability in place for all internal controls in question.
Suitable Criteria for Evaluation New in SSAE16 is a requirement that your management must use suitable criteria for evaluating the overall system you use to provide services. Different standards could be used to provide those criteria, depending on the type of services the company provides (like ITIL, COSO, COBIT, or ISO, for example). The criteria used must be specified in the management attestation section of the report. The minimum suitable criteria are specified in the SSAE 16 standard.
Evidence from Prior Engagements Disallowed Under SAS 70, auditors could use evidence collected during prior audits to reduce the extent and time of the testing. Under SSAE 16, auditors may not use evidence from prior engagements about the satisfactory operation of controls, even if that evidence is supplemented with new evidence provided for the current reporting period.
Disclosure of Reliance on Internal Auditors If any tests of controls are performed by your company’s internal auditor, the SSAE 16 engagement auditor is required to clearly identify those tests in their description and describe SAS 70 is now SSAE 16 Page 3 of 5 © ADV Group, LLC 2011 their procedures with respect to the internal auditor’s work. The SAS 70 standard did not require such disclosure.
Restrictions on Report Use SAS 70 restricted use of the audit report to your management, your customers, and your customer’s financial statement auditors. SSAE 16 further narrows the restriction regarding your customers, depending on the type of report. For a Type I, use is restricted to entities that are your customers as of the report date. For a Type II, use is restricted to entities that are your customers during the report period.
Included versus Excluded Subservice Providers Your company may use services provided to you by another company in the course of serving your customers (for example, a data center). If the services subject to the assessment include anything you obtain from another service provider (called a “subservice organization”), you have the same choices as with SAS 70: the inclusive method, or the carve-out method. What differs in SSAE 16 is that—for the inclusive method—your subservice provider’s management must provide assertions similar to those required of your management. If you can’t obtain the assertions from your subservice provider, you must use the carve-out method. As with SAS 70, the inclusive method includes the subservice providers’ controls in your assessment, just as if the controls were your own (requiring assessment participation from the provider). A carve-out assessment excludes your subservice provider’s controls. With a carve-out assessment, your customers would probably want to obtain your subservice provider’s own SSAE 16 report. Of course, if the provider chose not to undergo an SSAE 16 assessment of the right type, it could create a problem for your customers. Whether to include or carve-out your subservice providers is a choice you make based on what you believe your customers will require, and whether your provider can reliably provide an assessment report of their own.
What Remains the Same? Scope of the Assessment The SSAE 16 standard, as with the SAS 70 standard, does not dictate the set of controls that must be covered by the assessment. It is for you to decide which controls are pertinent to the services you provide. You should understand what your customers’ auditors would consider to be pertinent to your services when determining the scope of the assessment. One way to define scope is to review your services contracts. The contractual obligations around your services would reasonably draw the boundaries that define your system and the controls that support it.
System Description SSAE 16 also relies on your description of your system, the controls, and the objectives the controls are designed to meet, just as with SAS 70. The auditors assess whether the description fairly describes the system and controls, and whether the controls are designed to meet the stated objectives. Control objectives are stated in a similar fashion in SSAE 16 as in SAS 70. For example: “Control activities provide reasonable assurance that information systems are protected from unauthorized access, interference, damage, or destruction.” For each objective, you will also describe the activities your company performs to meet the objective. The auditors will ask for evidence to support your claim of undertaking these activities.
Type I and Type II As with SAS 70, SSAE 16 reports come in one of two types: Type I or Type II. Both types rely on management’s description of controls. The scope of each type of report is similar to that under SAS 70. Type I assesses whether a company’s internal controls are fairly and completely described and whether they have been adequately designed to meet their objectives, assessing the controls in place at a certain point in time. Type II does the same, but takes it further—it actually tests the controls in operation over a certain stated time period. As you might imagine, the Type II is more thorough and requires more time and effort. The type of assessment report you need (I or II) will be dictated by your customers and prospects; they know how your services impact their operations, which in turn determines the type of report they will require of you.
Basic Format of the Audit Report The auditor’s reports will follow the same basic format as for SAS 70, with the following components: · The auditor’s Opinion Letter, which states whether they believe your controls are adequate (also called the “Independent Service Auditor’s Report”) · The descriptions of the services you provide, and your organization’s controls, covering: o The control environment (management style, ethical philosophy, organizational structure, etc.) o Risk assessment and management o Information and communication systems o General controls o Application controls o Monitoring procedures · User control considerations (a “user organization” means a customer, using the services in question) · Any other relevant information, provided by your management, that may apply to the report
Assessment Process Like the SAS 70 audit, the SSAE 16 assessment requires that the auditors review the management’s assessment of their controls and provide an opinion on its validity. They will review the control objectives and control activities at your company to verify that they exist and are designed as described. The auditors will obtain samples of artifacts (like documents or reports) to support each control activity. For Type II assessments, the auditors will test the effectiveness of the controls, to determine that they can reasonably meet the control objectives they were designed to meet.
What is the ISAE 3402 Standard, and does it Apply to Me? SSAE 16 also responds to the convergence of accounting standards between those in the U.S. and the globally accepted principles (ISAE 3402) for reporting on controls at service organizations. SSAE 16 and ISAE 3402 are very similar. Should your customers require ISAE 3402, your auditor can advise whether you need a separate report for that standard.
Don’t Call Yourself “Certified” Although this may seem a trivial point, the AICPA apparently disagrees with the commonly used phrase “SAS 70 Certified” or “SSAE 16 Certified”. Technically, you do not receive a certification under these standards. It is more accurate to say you are “SSAE 16 Compliant”.
Getting Ready for SSAE 16 To make the transition to SSAE 16, you should: · Review your service contracts to ensure that your system description is complete and accurate · Determine whether you will use the inclusive method and, if so, how you will obtain the necessary attestations from your subservice providers · Review your existing controls and activities to ensure they are adequate and operating effectively · Ensure your ability to provide evidence for each control activity to your auditor · Develop a plan for communicating the new standards (and restrictions on report use) to your customer-facing teams Because the new standard applies on June 15, 2011, some companies may be impacted as early as July 1, 2011. Make sure you are ready!