Enter SSAE 16 and it’s new requirement for service organizations to provide a description of its “system”. As for out with the old and in with the new, Statement on Auditing Standards No. 70, simply known as SAS 70 to all of us, required “only” a description of “controls”. I stress “only” because it has gradually being acknowledged by most professional auditors that the new SSAE 16 requirement of a description of one’s “system” is looked upon as more detailed, comprehensive, and far-reaching than that of the SAS 70 audit’s description of “controls”.
In fact, literature released by the AICPA in 2010 regarding the new SSAE 16 standard clearly illustrates and gives examples of what is considered subject matter for a description of a service organization’s “system”.
Service organizations are going to have to re-visit their previous SAS 70 description of “controls” narrative, and possibly make significant changes to meet the true intent, rigor and spirit of the new SSAE 16 reporting requirements.
My advice? Work with your auditor for ensuring your description of the “system” meets the requirements set by SSAE 16.