The Auditing Standards Board (ASB) of the American Institute of CPAs has just issued a new attestation standards that enables CPAs to report on the controls at a service organization (SOC) particularly ones that provide outsourced services to other companies, including services via technologies like cloud computing, called “Statement on Standards for Attestation Engagements coded number 16”—or just SSAE 16.
The SSAE 16 (effective for service auditors’ reports for periods ending on or after June 15, 2011)—which supersedes the guidance for service auditors in SAS 70 (sometimes used interchangeably with AU section 324) –is applicable when an entity outsources a business task or function to another entity, and the data resulting from that task or function is incorporated in the outsourcer’s financial statements.
Note: In SSAE 16 an entity that performs a specialized task or function for other entities is known as “a service organization” and an entity that outsources the task or function to a service organization is known as a “user entity“.
One way a user auditor may obtain evidence about the quality and accuracy of the data provided to a user entity by a service organization is to obtain a CPA’s report (a service auditor’s report) on controls at the service organization that affect data provided to the user entities and incorporated in the user entities’ financial statements.
If a company outsources a function to a service organization—say one that that processes medical claims for health insurance companies, the auditor of that company’s financial statements will need to understand the design of the service organization’s controls over the claiming process, because the data resulting from claiming will ultimately be included in the company’s financial statements.
The auditor also needs to determine whether those controls are appropriately designed and, in some cases, whether they are operating effectively. The most efficient way to do this is for the service organization to undergo an SSAE 16 engagement, which results in a SOC 1 report (service organization control report).
SSAE 16 (and also SAS 70) enables CPAs to provide two types of service auditor’s reports. In both reports the service organization must prepare a description of its system that includes, the nature of the service provided, how the service is performed, and the service organization’s controls over the service and related control objectives.
A service auditor may provide two types of reports:
- In a type 1 report, the service auditor expresses an opinion on whether the description is fairly presented (does it describe what actually exists?) and whether the controls included in the description are suitability designed. Controls that are suitably designed are able to achieve the related control objectives if they operate effectively.
- In a type 2 report, the service auditor’s report contains the same opinions that are included in a type 1 report but also includes an opinion on whether the controls were operating effectively. Controls that operate effectively do achieve the control objectives they were intended to achieve.
Both types of reports are examination reports which means the CPA obtains a high level of assurance.
Here are some important points that auditors need to know about SSAE 16:
1. SSAE isn’t identically with SAS 70 – The SASs primarily provide guidance on reporting on an audit of financial statements; whereas, the SSAEs primarily provide guidance on reporting on other subject matter. In a service auditor’s engagement, a CPA reports on a service organization’s description of its system and on the service organization’s controls that are relevant to user entities’ financial statements. Because an examination of a description of a system and controls is not an audit of financial statements, the ASB concluded that the new standard should be placed in the attestation standards. SSAE 16 is a product of the ASB’s project to clarify its standards and to converge with standards of the International Auditing and Assurance Standards Board (IAASB).
2. Auditors need to obtain evidence and assurance at the same level as In the SAS 70 – In an SSAE 16 engagement , the service auditor obtain the same level of evidence and provide the same level of assurance to report users as the service auditor did under SAS 70. The procedures required by SSAE 16 are either the same as, or in some cases, more rigorous than those required by SAS 70.
3. SSAE 16 does not replace bith SAS 70 neither AU Section 324 – The guidance for user auditors will be unchanged until the new SAS for user auditors, already approved by the ASB, becomes effective. The new SAS does not contain any significant changes for user auditors. However, the ASB believes that because the new SAS is written in clarity format, it will be easier for user auditors to use and thereby meet their responsibilities. The new guidance for user auditors will remain in the SASs.
4. SSAE 16’s effective date – SSAE 16 is effective for service auditor’s reports for periods ending on or after June 15, 2011, with earlier implementation permitted. This is the same effective date as the effective date of the IAASB’s standard for service auditors.
5. SSAE is not for marketing or promotional materials – Service organizations should not use an SSAE 16 service auditor’s report to market their services to potential customers. The nature of the services performed at a service organization, how they are performed, and the controls over those services differ for each service organization. A service auditor’s report only addresses controls that the service organization believes would be relevant to clients of the service organization and their user auditors. Therefore, a service auditor’s report provides useful information only to a user organization that actually uses those services and needs that information to make decisions about its own internal control over financial reporting.
6. There won’t be “SSAE 16 certified” – A popular misconception about SAS 70 is that a service organization becomes “certified” as SAS 70 compliant after undergoing a type 1 or type 2 service auditor’s engagement. There is no such thing as being SAS 70 certified and there will be no such thing as being SSAE 16 certified. An SSAE 16 report (as with a SAS 70 report) is primarily an auditor to auditor communication, the purpose of which is to provide user auditors with information about controls at a service organization that are relevant to the user entities’ financial statements.
7. SSAE 16 may not be used for reporting on controls over subject matter other than financial reporting – As same as SAS 70, SSAE 16 does not apply to examinations of controls over subject matter other than financial reporting. Such engagements would be performed under AT Section 101, Attest Engagements, of the attestation standards.
In addition to revising the service organizations guide to help CPAs implement SSAE 16, the AICPA is also developing a new guide Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy that addresses reporting on a service provider’s controls over subject matter other than financial reporting.
The increasing use of cloud computing companies (which provide user entities with on-demand network access to a shared pool of computing resources–e.g. networks, servers, storage, applications, and services) has created an increasing demand for CPAs to report on nonfinancial reporting controls implemented by cloud computing service providers.
There are two major changes on SSAE 16 that would affect a service auditor’s engagement:
First, management of the service organization will now be required to provide the service auditor with a written assertion about the fairness of the presentation of the description of the system, and about the suitability of the design and, in a type 2 engagement, the operating effectiveness of the controls. That assertion will either accompany the service auditor’s report or be included in the service organization’s description.
Second, in a type 2 engagement, the description of the service organization’s system and the service auditor’s opinion on the description will cover a period (the same period as the period covered by the service auditor’s tests of the operating effectiveness of controls). In SAS 70, the description of the service organization’s system in a type 2 report was as of a specified date, rather than for a period.