First issued in April 1992, SAS 70 has become increasingly prevalent in the service industry segment, providing a highly effective and globally accepted guidance for reporting controls at service organizations. In April 2010, AICPA issued Standards for Attestation Engagements No. 16 (SSAE 16) to replace SAS 70 and converge with international standards. ISAE 3402 and SSAE 16 will become effective for reports for periods ending on or after June 15, 2011, with earlier implementation permitted.
ISAE 3402 and SSAE 16 will become effective for reports for periods ending on or after June 15, 2011, with earlier implementation permitted. While these new standards are not significantly different from SAS 70, they present certain noteworthy changes that require service organizations to alter their reporting processes. Also, SSAE 16 reiterates the reports’ focus on controls that are relevant to user entities’ controls over financial reporting.
The most significant change service organizations may notice in the new ISAE 3402 and SSAE 16 standards is the requirement to provide a written assertion about the fair presentation, design, implementation, and in the case of a Type II report, operating effectiveness of its controls.
Similar to Sarbanes-Oxley requirements, the requirement of a written assertion places additional responsibilities on service organizations’ management. To provide a written assertion, management must form a reasonable basis by selecting suitable criteria that will be used to prepare its description of the system (see “Description of system” section below) and to evaluate whether controls were suitably designed and/or operating effectively. In addition, the criteria is only deemed suitable if it identifies the risks that threaten the achievement of control objectives as stated in the report, and the controls, if operating as described, that would reasonably mitigate those risks.
To respond to the requirements for suitable criteria, service organizations should put in place processes to periodically evaluate their controls’ designs and operating effectiveness. We also recommend that service organizations utilize existing risk assessment processes to evaluate and document the risks that threaten the achievement of the control objectives, although the identified risks do not need to be described in the service auditor report. A designated officer or management should oversee the processes monitoring the organization’s controls as well as the risk assessment effort to ensure the written assertion is authorized and has reasonable basis.
For service organizations that have elected to use the inclusive method for their subservice organizations, management will also need to obtain a written assertion from the subservice organizations. The inclusive method entails inclusion of subservice organizations’ descriptions of systems and, in the case of a Type II report, tests of operating effectiveness in the report. Early discussions with subservice organizations are therefore critical in the implementation of the new standards.
Description of system
Unlike the SAS 70 requirement that service organizations provide a description of controls, the new ISAE 3402 and SSAE 16 standards call for a more comprehensive description of the service organization’s system. The description of system should identify the following information wherever applicable:
- the types of services provided, including the classes of transactions processed;
- the procedures and accounting records related to the services provided, including the initiation, authorization, recording, processing, and correction of transactions;
- significant events and conditions other than transactions; and
- the process used to prepare reports and other information for user entities.
The description of system is also expected to include policies and procedures that have been designed, implemented, and documented relating to the services provided.
Despite the overwhelming list of items to be included in the description of system, many service organizations that have obtained SAS 70 reports in the past may find that their current descriptions already satisfy the requirements of the new standards. As user entities and auditors placed increasing reliance on SAS 70 reports, many service organizations experienced the demand for more comprehensive descriptions. Many service organizations have effectively provided descriptions of systems in their past SAS 70 reports, even though that level of detail was not required by the SAS 70 standard. Reports that previously focused on the minimum requirements of SAS 70 are expected to require substantial additions.
Controls over subject matter other than financial reporting
As outsourcing gained popularity, related risk management concerns increased. Without a de facto standard for evaluating service organizations at the time, SAS 70 gained notoriety in becoming the standard for all types of service organizations, ranging from traditional payroll processing and claims processing providers whose controls are relevant to user entities’ financial reporting, to less traditional providers such as cloud computing data centers and mail processing providers. The controls at the less traditional providers may at times be more relevant to the privacy of user entities’ business and customer data than financial reporting. This shift in the marketplace further propelled the use of SAS 70 reports nationally and internationally as a widely accepted third-party assurance tool, despite the SAS 70’s original intent to address only controls that are significant to financial reporting.
The issuance of the SSAE 16 presents a reiteration of this intent, discouraging the use of the standard for examinations over subject matter other than financial reporting. Instead, the AICPA suggests that such engagements be performed under the Attestation Standards (AT) Section 101, titled Attest Engagements. The AICPA is also in the process of developing new guidance to address reporting of service organizations’ controls over subject matter other than financial reporting.
Conclusion and next steps
Although SAS 70 has served as the de facto standard for third-party assurance for almost two decades, the new ISAE 3402 and SSAE 16 standards represent a much needed update to consolidate various standards around the world into a globally recognized standard that ultimately enhances the usability of service auditors’ reports. With some SAS 70 reporting periods covering as long as 12 months, the new standards can affect service organizations as early as July 1, 2010. Like the introduction of any new process, early planning and diligent project management are crucial to the success of implementing the new standards. To maintain the competitive advantage that third-party assurance standards provide, we encourage service organizations to work with their service auditors to proactively plan for the new standards and demonstrate their commitment to a strong, effective, and transparent control environment.