Featured Article

Featured Article 

Sign up for our free BSA/AML Webinar

Click Here

 

Newsletter Signup

 

Comp Survey
 

2011 Independent Bank Compensation Survey


Have A Question?

We'll get right back to you.

Name:
Company:
Email:
Phone:
Interest:
Question:
TypeCode:* Security Image
Follow Us:
Home > Library > IT and Security > New Changes SAS70 SSAE16
Bookmark and Share

New Changes to SAS 70 Reporting – Here Comes SSAE 16

5/12/2011

By Keith A. Ferguson, CISA, CISSP, CRISC

A SAS 70 provides reporting on the processing of transactions by service organizations that process transactions. It is an independent examination of controls identified by a service organization. The report provides guidance to enable an independent auditor to issue an opinion on a service organization's description of controls through a Service Auditor's Report. The SAS 70 has been around for almost 20 years, and, come June 15, a new standard will be in place. While much of the new standards will remain the same or similar, there are some significant differences.

Why Make Changes to SAS 70 Now?

Changes are being implemented for three main reasons; 1) Users’ demand for a detail understanding of processes and controls at service organizations; 2) Service organizations’ concern for increased and conflicting user demands for assessments, 3) Changes in the environment with an explosion in the volume and sophistication in outsourcing or use of third parties, thus expanding the governance reach outside of the user organization.

What SSAE 16 Requirements are still consistent with SAS 70?

SSAE 16 follows some SAS 70 standards including:

  • Internal controls at service organizations
  • An emphasis on financial reporting
  • The concept of Type 1 and Type 2 reports
  • The structure of the report
  • Testing methods

Additionally, how the use of subservice organizations are considered and restricted distribution of report also remain consistent with SAS 70 standards.

What SSAE 16 Requirements are Different from SAS 70?

Requirements that are different include:

  • A move from audit to an attestation standard
  • Written management assertion is included in the report
  • Suitable criteria used to consider design of controls
  • Design opinion in Service Auditor’s Report to cover the entire reporting period
  • Greater emphasis on carve‐out vs. inclusive method
  • Clarity on consideration of materiality
  • Prescribed guidance and reporting for use of internal audit
  • Alignment with international standards

The effective date for implementing SSAE 16 is for reporting periods ending on or after June 15, 2011. Although early adoption is permitted it does not appear most service organizations will elect to do so. Instead, most organizations will use the time to become informed and properly plan for their implementation.

What are the New Reporting Options with SSAE 16?

SOC 1Internal Controls over Financial Reporting AT 801: The purpose of this type of report is to provide information to the auditor of a user entity’s financial statements, about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. It enables the user auditor to perform risk assessment procedures, and if a type 2 report is provided, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing.

SOC 2 AT 101 and Trust Services Principles (Detailed Reporting) AT 101: The purpose of this type of report is to provide management of a service organization, user entities and other specified parties with information and a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality or privacy.

SOC 3 Trust Services Principles (SysTrust & WebTrust) AT 101: The purpose of this type of report is to provide interested parties with a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality, or privacy.

How Will You Know Which Report to Use?

Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial reporting? Will the report be used by your customers as part of their compliance with the Sarbanes‐Oxley Act or similar law or regulation? In these situations, a SOC 1 report may be most appropriate.

If, however, the report will be used by your customers or stakeholders to obtain confidence and place key compliance and operational controls for a service organization’s systems, then a SOC 2 or 3 report may be the preferred format. Further, if the posting of a summary report or seal will be sufficient, then a SOC 3 may be the correct report.

SAS70 reporting is being replaced by SOC1/SSAE 16. Although early adoption is permitted, this becomes effective for Service Auditor’s reports for periods ending on or after June 15, 2011. SOC1/SSAE 16 Type 1 and Type 2 are similar to current SAS70s, with the key difference being a written management assertion. SOC1/SSAE16 is also an attestation engagement. For more information on this topic, visit the AICPA web site by clicking here.