Get Ready for the Transition from SAS 70 to SSAE 16

IMGCAP(1)]This year the SSAE 16 assessment standard will replace the SAS 70 audit standard.

It seems that there really is no rest for the weary. The direct impact of this change might be uncertain for some of you. The article will help you understand the similarities and differences between these standards, whether you are:

• A CPA who provides advice to internal or external clients,
• An executive of a company that undergoes SAS 70 audits, or
• An employee impacted by the audit or assessment activities (like an IT manager or HR professional, for example). 

How is the SSAE 16 standard different from SAS 70?

Management Attestation
SSAE 16 is an attest standard, not an audit standard. This accounting technicality relates to the SSAE 16 assessment requirement that management will attest in writing to the fair presentation and design of the company’s controls. Under the previous SAS 70 standard, only the auditors reported on controls; the company’s management was not required to make any attestations. This attestation is the main difference between SAS 70 and SSAE 16.

Under SAS 70, your company’s management provided representations in the form of a signed management representation letter given to the auditors prior to issuance of the SAS 70 report.  The letter was not included in the actual report, however. 

A company’s “system,” in the language of the SSAE 16 standard, is the system that delivers services along with the controls and activities that support service delivery. Management’s attestations, included in the SSAE 16 report, are based on their description of their system. Management will attest:

• That management’s description of the system fairly presents the system that was designed and implemented during either the period covered by the assessment (called a “Type II” assessment) or at a point in time (called a “Type I”);

• That the controls related to the control objectives stated in that description were suitably designed during that period (for a Type II) or at that point in time (for a Type I) to achieve the control objectives; and

• For Type II assessments, that the controls operated effectively throughout that period to achieve the control objectives.

The auditors will examine the company’s controls to form their own opinion on these matters. The fact that management must now make these attestations further highlights management’s full responsibility for the controls in operation, and also better aligns SSAE 16 with SOX.

SOX-affected companies’ management are held accountable for the veracity of their financial report attestations, and SSAE 16’s attestation requirement keeps the same kind of accountability in place for service organizations. 

Suitable Criteria for Evaluation
New in SSAE16 is a requirement that a company’s management must use suitable criteria for evaluating the overall system used to provide services. The criteria used must be specified in the management attestation section of the report. 

The criteria should come from a widely recognized standard.  Which standard to use depends on the type of services the company provides; standards such as ITIL, COSO, COBIT or ISO may apply. Guidance regarding suitable criteria is provided in the SSAE 16 standard. 

Evidence from Prior Engagements Disallowed
Under SAS 70, auditors could use evidence collected during prior audits to reduce the extent and duration of controls testing. Under SSAE 16, auditors may not use evidence from prior engagements about the satisfactory operation of controls, even if that evidence is supplemented with new evidence provided for the current reporting period. 

As a result, companies now accustomed to reuse of prior evidence will find their preparatory work increased under the SSAE 16 assessment. 

Disclosure of Reliance on Internal Auditors
If any tests of controls are performed by a company’s internal auditor, the SSAE 16 engagement auditor is required to clearly identify those tests in their description and describe their procedures with respect to the internal auditor’s work. The SAS 70 standard did not require such disclosure. 

This will require that the company undergoing assessment provide a detailed description of their internal audit activities, processes, tools, and conclusions to the SSAE 16 engagement auditor.  

Restrictions on Report Use
SAS 70 restricted use of the audit report to a company’s management, customers and financial statement auditors. SSAE 16 further narrows the restriction regarding customers, depending on the type of report. For a Type I, use is restricted to entities that are customers as of the report date.  For a Type II, use is restricted to entities that are customers during the report period.

Included versus Excluded Subservice Providers
A service provider may itself rely on services provided by another company in the course of doing business (for example, a data center). If the services subject to a company’s SSAE 16 assessment depend on anything obtained from another service provider (called a “subservice organization”), one of two methods apply: the inclusive method, or the carve-out method.

The choice of method has not changed from the SAS 70 standard. What differs in SSAE 16 is that for the inclusive method, a subservice provider’s management must provide their own set of assertions regarding their internal controls. If such assertions cannot be obtained from the subservice provider, the carve-out method must apply.

As with SAS 70, the inclusive method includes the subservice providers’ controls in the assessment, requiring assessment participation from the provider. A carve-out assessment excludes the subservice provider’s controls from the assessment, but would not relieve the company from the need to monitor the subservice provider’s controls.

With a carve-out assessment, a company would probably want to also obtain the subservice provider’s own SSAE 16 report as a way to address the subservice provider’s controls. The choices for monitoring those controls get more complicated if a key subservice provider foregoes an SSAE 16 assessment of the right type. The choice of inclusive or carve-out method depends on whether a company’s customers would find a carve-out assessment acceptable, and whether the subservice providers can reliably provide an assessment report of their own. What then remains the same?

Scope of the Assessment
The SSAE 16 standard, as with the SAS 70 standard, does not dictate the set of controls that must be covered by the assessment. The company being assessed decides which controls are pertinent to the services it provides. That decision could be poorly made if a company fails to anticipate what its customers’ auditors would consider pertinent to the scope of the assessment. 

One way a company can define scope is to review its services contracts.  The contractual obligations around services delivered may reasonably draw the boundaries that define a system and the controls that support it. 

System Description
SSAE 16 also relies on a written description of the system, the controls, and the objectives that the controls are designed to meet, just as with SAS 70. The auditors assess whether the description fairly describes the system and controls, and whether the controls are designed to meet the stated objectives. 

Control objectives are stated in a similar fashion in SSAE 16 as in SAS 70. For example: “Control activities provide reasonable assurance that information systems are protected from unauthorized access, interference, damage or destruction.” For each objective, the activities performed to meet the objective must also be described.  The auditors performing the SSAE 16 assessment will ask for evidence to support the claim of undertaking these activities. 

Type I and Type II
As with SAS 70, SSAE 16 reports come in one of two types: Type I or Type II. Both types rely on management’s description of controls. The scope of each type of report is similar to that under SAS 70.  Type I assesses whether a company’s internal controls are fairly and completely described and whether they have been adequately designed to meet their objectives, assessing the controls in place at a certain point in time. Type II does the same, but takes it further—it actually tests the controls in operation over a certain stated time period. This means the Type II is more thorough and requires more time and effort.

The type of assessment report that a company needs (I or II) depends on which type its customers request. The customers know how the services impact their operations, which in turn determines the type of report they will require.

Basic Format of the Audit Report
Beyond the management attestation, the auditor’s reports will follow the same basic format as for SAS 70, with the following components:

• The auditor’s Opinion Letter, which states whether they believe the company’s controls are adequate (also called the “Independent Service Auditor’s Report”)
• The descriptions of the services the company provides, and its controls, covering:
  o The control environment (management style, ethical philosophy, organizational structure, etc.)
  o Risk assessment and management
  o Information and communication systems
  o General controls
  o Application controls
  o Monitoring procedures
• User control considerations (a “user organization” means a customer, using the services in question) • Any other relevant information, provided by your management, that may apply to the report

Assessment Process
Like the SAS 70 audit, the SSAE 16 assessment requires that the auditors review the management’s assessment of their controls and provide an opinion on its validity. They will review the control objectives and control activities at the company to verify that they exist and are designed as described.

The auditors will obtain samples of artifacts (like documents or reports) to support each control activity. For Type II assessments, the auditors will test the effectiveness of the controls, to determine that they can reasonably meet the control objectives they were designed to meet. 

What about the ISAE 3402 Standard?  
SSAE 16 also responds to the convergence of accounting standards between those in the U.S. and the globally accepted principles (ISAE 3402) for reporting on controls at service organizations.

SSAE 16 and ISAE 3402 are similar in many respects. A company should seek its auditor’s advice before deciding to undergo a separate assessment (and report) for that standard. 

Companies are not “Certified”
Although this may seem a trivial point, the AICPA apparently disagrees with the commonly used phrases “SAS 70 Certified” or “SSAE 16 Certified”.

Technically, no certification is conferred under these standards. It is more accurate to say, “SSAE 16 Compliant.”

Who is Impacted by SSAE 16?
Any organization required to undergo SAS 70 audits will need to understand the new SSAE 16 standard. The SSAE 16 standard superseded the SAS 70 standard on June 15, 2011. Any auditor’s report produced after that date must conform to the new standard.

SSAE 16 applies to the same companies as SAS 70, and in similar ways. If your company provides services to publicly traded companies registered with the Securities and Exchange Commission, you may need to produce an “Independent Service Auditor’s Report on a Description of a Service Organization’s System and the Suitability of the Design of Controls” in accordance with the American Institute of CPAs' Statement on Standards for Attestation Engagements 16 (SSAE 16). This is more simply (and mercifully) known as a SSAE 16 assessment. 

Companies that offer services such as payroll processing, benefits administration or claims processing are among those whose customers may require a copy of their SSAE 16 assessment report. Do you sell a Software-as-a-Service or “Cloud” offering to publicly traded companies? If you do, you are a service organization, and may be subject to this requirement. 

Many adopted the convention of pronouncing SAS 70 as “sass seventy.” The author of this article makes no comment on whether it would be prudent to refer to “SSAE” as “sassy.” Phonetic choices are left to the reader’s discretion. 

What is the Rationale for These Assessments?
One hates to drop the “E-bomb” in polite conversation. Yet, Enron and other accounting scandals have not faded from the long memory of regulatory requirements. In response to such scandals, the Sarbanes-Oxley Act holds officers of publicly traded companies responsible for the fairness and completeness of their company’s financial statements.

It is a fact, however, that any company’s financial statements are only as reliable as its internal controls. These controls are the processes designed to meet objectives for financial reporting reliability, operational effectiveness and efficiency, and compliance with applicable laws and regulations. That is why the SOX Act requires that signing officers evaluate their controls and report any deficiencies.

Companies that are not publicly traded may still be impacted by SOX. If a company’s services impact the financial statements of one of their SOX-affected customers in any way, then the service-provider’s own controls come into question under SOX. That’s because SOX requires companies to vouch for all the controls that keep their financial reporting honest—which includes those of their service providers. So how could any company’s officers attest to the quality of their service providers’ controls? Without SSAE 16 assessments, the choices would be daunting. 

A company could: 1) audit the service providers’ controls to make assertions about their quality, 2) take charge of the service providers’ controls, or 3) state that the service providers’ unknown controls are a possible weakness in their own. 

These choices are obviously flawed. No publicly traded company wants to go on record admitting to inadequate controls. On the other hand, it would be hard to audit every service provider one does business with, or to take charge of their controls. Similarly, service providers with multiple SOX-affected customers could go bankrupt responding to an onslaught of customer audits throughout the year.

The SSAE 16 assessment is designed to solve these problems. A service provider can choose to undergo only its own SSAE 16 assessment, and then simply provide a copy of the SSAE 16 auditor’s report to any of their customer’s auditors who request it. Because it’s an “auditor-to-auditor” report, a company’s auditors can rely on the report to verify the quality of their service providers’ controls, without having to assess the service providers themselves.

Getting Ready for SSAE 16 - First Timers
The bad news is that companies with no prior SAS 70 audit experience will not find their first assessment is made easier by the new SSAE 16 standard. The good news is that it won’t be tremendously more difficult. The new requirements are a small percentage of the total work required to prepare for a first-time assessment, since the bulk of the work is in describing and documenting controls. 

Many firms offer readiness engagements to help companies prepare for their first SSAE 16 assessment, which can go a long way toward assuring that the first assessment goes smoothly. Such assurance can be worth the investment, because the auditor’s opinion letter will clearly reveal any problems or gaps, which is an undesirable outcome for all the time, effort and money spent on the assessment. SSAE 16 compliance is often a requirement for obtaining or keeping key customer accounts, so the stakes can be high.

For an SSAE 16 assessment, just as with a SAS 70 audit, the auditors will “walk through” the controls being assessed and interview employees who have a role in performing the controls. This means that in preparing for the assessment, a company must draft its controls description in coordination with the employees who perform the control activities. The employees should collaborate to verify that the description is complete and accurate, and to provide the samples that serve as evidence of the controls.  Although this work remains the same in SSAE 16, the new management attestation requirement may trigger a more intense focus on controls by the company’s executives. 

Currently Audited Companies
Companies that are currently undergoing regular SAS 70 audits will see a bit of extra work when they move to SSAE 16 assessments.  The transition to SSAE 16 includes:

• Writing the management attestation;
• Verifying that the appropriate criteria are used for system evaluation and documenting the criteria;
• Dealing with subservice providers by:
 o Obtaining the necessary attestations and cooperation from subservice providers (for the inclusive method), or
 o Obtaining the SSAE 16 assessment reports or devising other appropriate ways to monitor their controls (for the carve-out method);
• Providing evidence for every control, when the company may be accustomed to the reuse of prior evidence; and
• Coordinating with the SSAE 16 assessment auditors in the event your own internal auditors have assessed or will assess your controls. 

Be aware: the new standard applied on June 15, 2011. This means some companies may be impacted as early as July 1, 2011. Be prepared!

Amanda Finch is the director of strategic alliances at Journyx, a company that provides Web-based time-tracking, project accounting and resource management solutions that guide customers to per-person, per-project profitability.Drawing on her expertise in application development, program management, business development and compliance, she helps ensure effective execution of corporate strategy through alliances and partnerships.

For reprint and licensing requests for this article, click here.
Audit Financial reporting Regulatory actions and programs
MORE FROM ACCOUNTING TODAY