Service Organizations to Receive New Standard with SSAE 16
For years, service organizations providing processes that affect their customers’ financial statement reporting have been held accountable by Statement on Auditing Standards No. 70 (SAS 70). However, beginning on or after June 15, 2011, these organizations will have a new standard to answer to and new regulations to follow.
The new standard, Statement on Standards for Attestation Engagements No. 16 (SSAE 16), will supersede the out-of-date SAS 70 and takes a closer look at service organizations’ internal controls. Among other things, it will require organizations to file a much more robust description of their systems of controls around the service being provided.
An attest standard rather than an audit standard, SSAE 16 will require the written attestation of the design and effectiveness of a service organization’s internal controls. This change is in part a result of the holes that have gradually developed in SAS 70 and the effectiveness attestation has in filling these gaps.
Gaps in SAS 70
Gregg Landers is lead managing director with CBIZ MHM, a large national accounting firm and professional services company providing a comprehensive range of business services and solutions to help clients better manage finances and employees. He believes that this change has much to do with the growth the business environment has seen since SAS 70 came into existence.
“In 1992, when SAS 70 was put into place, the business environment was in a very different place than it is now,” said Landers. “At the time, it really filled a hole for financial auditors. However, things have changed drastically over the years.”
One change in particular is the number of businesses that now operate internationally.
“SAS70 was a fine standard, but it was not internationally accepted by all countries. This was not an issue in 1992, as there were not as many international companies. However, in 2010, you can be a fairly small business conducting affairs internationally,” said Landers.
Furthering the problems with SAS 70 is the widespread use of the auditing standard as a communication tool between service organizations and their customers.
Originally developed as a communication tool between the service auditor and the user auditor, SAS 70 was never intended to be, or be perceived as, a quality standard by the user organization itself or its stakeholders. However, Landers notes that, over time, more and more organizations were asking for a SAS 70 for their internal auditors or operations people – not their financial statement auditors.
“The accounting standards board recognized that SAS 70 had unintentionally become more than an auditor-to-auditor report. The question, then, was how to address that. They looked to see how other standards have addressed it, such as Auditing Standard No. 5 (AS5), and subsequently adopted the management self-assertion into the report. This management self assertion serves as a communication and commitment from the service organization itself to its user organizations,” he said.
Defining SSAE 16
SSAE 16, like SAS 70 before it, is an auditor-to-auditor opinion of the controls the service organization has around the services it provides to its user organizations. However, SSAE 16 has some key differences from SAS 70, including:
- The requirement of service organization management to provide a written assertion attesting as to the fair presentation and design of controls (in a Type 1 report) or the fair presentation, design and operating effectiveness of controls (in a Type 2 report)
- The requirement of subservice organizations (if applicable) to provide an assertion similar to the management assertion provided by the service organization’s management when the “Inclusive Method” is used by the service auditor for any subservice organization
- Disclosure by the service auditors within their report identifying reliance (if any) they have placed on the work of internal audit
- The opinion of the service auditor in the appropriateness of the design of controls now opines that the controls were designed well “the entire period” rather than “as of a period” in a Type 2 report
“The added measures in SSAE 16 are intended for the management of the company to verify that their controls are operating well,” said Landers. “Our opinion is still intended for the user organization’s financial auditor, but the written self-assertion is intended for the management, who should be responsible for assessing risks and monitoring them so operations run more effectively. This is something that management should be taking care of and is more clearly spelled out in this statement.”
Another improvement in SSAE 16, said Landers, is that “it is very similar, in some places identical, to the new international accounting standards requirement for internal controls for the service organization. Because of this, it is now much easier for companies growing at international proportions to make a smoother transition.”
Changes for Organizations
In the report, the written assertion will be a separate component that will generally be placed on the service organization’s letterhead and signed by the appropriate member of management. Additionally, in section two of the report, “Description of the System of Controls,” this information now must include a much more detailed description of the controls, management actives and risk assessments in place to actively monitor internal controls.
Landers notes that this statement will not be signed blindly by C-level executives – nor should it.
“You’re not going to be allowed to do nothing and then put the assertion in the report. You must have a basis for your assertion and proper monitoring of controls in place,” he said. “Typically management already has the necessary controls in place for this as part of their operation. The issue now is to ensure they are reasonably evidenced, that all controls are addressed in some fashion, and that management is made aware if something was to go wrong.”
Landers believes this process will be more burdensome for the service organization, but only for the first year or so after the transition. That is because organizations must not only write the assertion but now must also make certain that controls are in order and under continual monitoring.
“The other aspect of SSAE 16 that creates a little bit of a burden is that service organizations are now required to have a more robust description of controls. Where SAS 70 left room for interpretation on this, SSAE 16 does not. This will be more work for companies who have historically erred on the minimalist side when describing their controls. Now, this must include policy, infrastructure, people, etc. It must be more thorough so as to understand the flow of activities from start to finish.”
SSAE 16 provides the evolution in reports that service auditors need to ensure they continue to be useful now and in the future as systems, controls and processes continue to increase in complexity.
Creating a Smooth Transition
Though SSAE 16 does not take effect until June 15, 2011, service organizations must prepare now for the impending transition.
“They need to figure out who is going to sign the assertion so that person is aware of whether or not controls are in place,” said Landers. “This should be done at the start of the audit period so this person has some involvement in the risk assessment and can ensure there is a reasonable monitoring effort. Organizations should assign an internal project manager to this task to make sure all of this happens and that monitoring is being done internally on a monthly basis.”
He notes that the biggest concern he has for his clients is that they may wait until the last minute.
“Organizations may look at this and think they don’t need to take action until April or May of 2011. That’s not true. The new regulations are effective for any report issued on or after June 15, 2011, which means organizations need to get their ducks in a row now to start their period that ends on or after June 15 compliant with the new SSAE 16. The majority of companies will have their current SAS 70 periods end September 2010, which means come October 1, the new standard comes into play.”
As far as the impact of moving service organizations under attest rather than audit, Landers believes there will not be much of an impact at all.
“It is more of a housekeeping matter,” he said. “The SSAE tends to be a more appropriate place for this type of standard, since SAS’s are directly related to financial statements and SSAE’s tends to incorporate things that are a little broader.”
Landers believe this change will absolutely be a positive one for organizations.
“I think the historic standard of SAS 70 was certainly adequate for its time, but the new standard is in line with international standards, and this is important,” he said. “Additionally, because organizations are required to complete a self-assertion, they are more likely to create a strong internal control environment, thus increasing the likelihood of a stronger control environment and a successful report. Once everything is in place, I believe that this will create a much better environment for reporting for service organizations.”
Also in this month's issue:
Blue Ribbon Panel Weighs In on Private Company Financial Reporting
Consultant of the Quarter: Estela Moshos