It is being replaced (of course!) by the ever-so-easy to say acronym: SSAE 16. (Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization.) What a mouthful!
In April of this year, the AICPA (American Institute of Certified Public Accountants) released the new standard, which will become effective June 15th, 2011. Since this new standard still documents the previous year activities, you’ll have a year or so to get ready for the new requirements.
Why the changes?
International business requires a global standard. One reason for the change is the economic landscape has become more global. SAS 70 was a U.S. standard that was often being applied on an international basis. The International Auditing and Assurance Standards Board (IAASB) recognized this growing problem and issued International Standard on Assurance Engagements No. 3402 (ISAE 3402) in December 2009. SSAE 16 is substantially similar to the international standard, including the effective date of June 15, 2011.
SSAE 16 reports will meet the needs of a wider audience. A SAS 70 is designed to be an auditor-to-auditor communication. With an increased awareness and emphasis on controls and control assertions (because of Sarbanes-Oxley), more companies are requesting SAS 70 reports. Regulators, government agencies, internal Audit Boards, and end users of financial reports are the new audience for service organization reports such as SSAE 16 and ISAE 3402.
That being said, there are some changes in the requirements that will impact everyone who has an annual SAS 70, as well as any company that must require a report from their third party vendors. So, either way, read on:
1.Under a SAS 70, a service organization is responsible for providing a description of controls. There is no guidance on what needs to be included in that description so it could be limited to the relevant aspects of the internal control framework. Under [SSAE 16], a service organization provides a ‘description of its system’ as designed and implemented. While the term ‘system’ has many different definitions, a common and useful definition is “The controls, procedures, people, software, data, and infrastructure organized to achieve a specific objective.”
2.Also, under SSAE 16, the description must include significant changes to the system that occurred during the audit period (Type 2 audit). Service auditors will now opine on the implementation of the description for the audit period.
3. SSAE 16 introduces the concept of “suitable criteria”. Management is responsible for specifying the criteria used to prepare its system description. The service auditor is responsible for using suitable criteria for assessing that management’s description is fairly presented.
4.Under SSAE 16, management must identify the risks that threaten the achievement of the stated control objectives and assess whether the identified controls sufficiently address the risks. In essence, management is responsible for ensuring controls are in place to address each risk. The risk assessment is not included in the report but management must assert that it is effective.
5.Management will now be required to prepare a written assertion that will be included as a required component of the SSAE 16 report. Management will assert to its’ responsibilities, the fair presentation of the description of the system, the suitability of the design of the controls, and in the case of a Type 2 report, the operating effectiveness of the controls. The assertion needs to be independent of the work of the service auditor. Sub service organization must also provide an assertion when the inclusive method is used.
There are cosmetic changes as well, but those won’t impact anyone but the report writer.
P.S. – All those companies that have “SAS 70” in their company name and web presence must not be having ANY fun.
And no, there is no “certification” for the SSAE 16 either.