Background

The American Institute for Certified Public Accountant (AICPA) Statement on Standards for Attestation Engagements No. 16 (SSAE 16), reporting on controls at a Service Organization (also called as vendors) was issued in April 2010.  WEF June 15, 2011, the SSAE 16 has effectively replaced the long standing SAS 70 as the U.S. standard for reporting on a service organization’s internal controls.  The focus of SSAE 16 is how service organisations or vendors have internal control on financial reporting as relevant to interested parties specifically customer.

How does SSAE 16/ISAE 3402 applies to service organizations?

The Sarbanes Oxley Act (“SOX”) requires that publicly traded companies that outsource a portion of their processes obtain an SSAE 16 report from their service organization.  The SSAE 16 report can effectively replace the need for the service organization to be subject to multiple audits from its customers and their respective auditors.  An SSAE 16 report ensures that all customers of service organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor’s requirements.  The SSAE 16 may also help service organization recognize significant efficiencies in its business processes as well as improvement in its controls and control environment through value added recommendations from the service auditor.

Out sourcing service providers to US Companies in India, China, Mexico, Ireland, Russia, Malaysia, Philippines, Brazil, Singapore, Canada, Chile, Poland,  and elsewhere would come under the purview of SSAE 16. The SSAE 16 report by CPA will be a perfect vehicle for the service organization to obtain the level of assurance that customer interest are well under control.

What are the key benefits for compliance?

Service organizations can receive significant value from having a SSAE 16 examination performed.  An SSAE 16 report with an unqualified opinion that is issued by an independent CPA firm differentiates the service organization from its peers by demonstrating that it achieved a defined set of control objectives relevant to its specific industry and that its controls are effectively designed and in the case of a Type 2 report that the controls are operating effectively over a period of time.  An SSAE 16 report will not only help a service organization build trust with its existing customers but also position itself in the market place to attract new clients.  A clean SSAE 16 report can put small to mid-sized service organizations on a level playing field with some of their larger competitors.  Most Requests for Proposals today almost inherently have the requirement for the service organization to have been subject through an SSAE 16 examination.  In fact, by not having an SSAE 16 examination, you face the likelihood of being eliminated from an opportunity before even having the chance to bid.

What are the benefits to customers?

Customers of the service organizations that obtain an SSAE 16 report from their service organization(s) receive an independent and unbiased opinion from the service auditor about the service organization’s controls and the effectiveness of those controls.  The SSAE 16 report is a mechanism for customers of service organizations to demonstrate management of risks and exposures while outsourcing business services.  It helps ensure processing integrity and reliability of outsourced business transactions and services.

For service organizations that do not have an independent examination of their controls performed, it is never too late to consider obtaining one and for customers of service organizations it is never too late to ask for one.

Why the change from SAS 70 to SSAE 16?

Globalization of business process outsourcing drove the need for a common global standard.  SSAE 16 was issued to align with International Standards on Attestation Engagements (ISAE) 3402.  There was also the need for increased emphasis on the service organization rather than the auditor.  SAS 70 was more focused on the auditor rather than on the service organization.  Companies reporting under SAS 70 had several misunderstandings in that SAS 70 was thought to be the implementation of best practices and that it was a certification.  SSAE 16 clarifies these misunderstandings.

Difference between SOC 1 and SOC 2

SOC 1 is a report on controls at a service organization relevant to a user entity’s internal control over financial reporting. A type 1 report focuses on a description of a service organization’s system and on the suitability of the design of its controls to achieve the related control objectives included in the description, as on a specified date. A type 2 report contains the same opinions as a type 1 report with the addition of an opinion on the operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

SOC 2 Report has the following key features:

  • Report on controls at a service organisation relevant to Common criteria/security, availability, processing integrity, confidentiality, or privacy.
  • Uses the trust services criteria.
  • Includes a description of the service auditor’s tests of controls and results.

Two types of engagements

SSAE 16 will continue to enable a service auditor to perform two types of engagements:

1.    A Type 1 engagement in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
2.    A type 2 engagement in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

What changed from SAS 70 to SSAE 16?

The following are some of the notable changes introduced by SSAE 16:
1.    A written assertion by management is required and must include the suitable criteria used for its assessment.
2.    The Audit report must include a written assertion by the sub service organization if the inclusive method is used.
3.    While the SAS 70s required only a description of controls, SSAE 16 requires a description of systems / processes.
4.    Management of the service organization must identify risks that threaten the achievement of the control objectives.

Further questions or clarifications?

If you have questions clarifications or seeking a road map to achieve SSAE 16/ISAE 3402 call or write to us at roadmap@www.coralesecure.com

Author : Probal C