[IMGCAP(1)]As we prepare for the replacement of SAS 70 by SSAE 16, articles and vendor whitepapers are flooding the landscape.

These documents typically provide only cursory descriptions of the similarities and differences between the standards. One of the differences most commonly cited is the “materiality” concept introduced by SSAE 16. Without a detailed explanation, one might assume that materiality means new leeway and discretion in terms of disclosures within SSAE 16 reports, especially as it relates to testing exceptions, but that assumption would be very wrong.

Before going any further, let’s examine the single paragraph of SSAE 16 that introduces the materiality concept:

“While planning and performing the engagement, the service auditor should evaluate materiality with respect to the fair presentation of management’s description of the service organization’s system, the suitability of the design of controls to achieve the related control objectives stated in the description and, in the case of a type 2 report, the operating effectiveness of the controls to achieve the related control objectives stated in the description.”

As you can see, the concept is self-explanatory. Service auditors are directed to use materiality when forming the basis for their opinion. This is good information to know, but does this mean that materiality can also be applied when disclosing testing exceptions? For that answer, we look to paragraph .A27 of the SSAE 16 explanatory material, which states:

“The concept of materiality is not applied when disclosing, in the description of the tests of controls, the results of those tests when deviations have been identified. This is because, in the particular circumstances of a specific user entity or user auditor, a deviation may have significance beyond whether or not, in the opinion of the service auditor, it prevents a control from operating effectively. For example, the control to which the deviation relates may be particularly significant in preventing a certain type of error that may be material in the particular circumstances of a user entity’s financial statements.”

So the answer to the question is a resounding no. The otherwise innocuous sentence highlighted above is actually a very important change from the SAS 70 standard because it closes a loophole, of sorts. The word “materiality” only appears twice in the SAS 70 audit standard and neither occurrence is pertinent to this discussion. But as anyone familiar with type 2 SAS 70 audit reports knows, the auditor’s test results are normally stated as “no relevant exceptions noted” when there are no testing deviations. And therein lies the issue – “relevance.”

Relevance is a matter of opinion, and when it comes to CPAs, opinions vary widely. I would like to believe that every service auditor discloses all testing deviations, thus avoiding the need to speculate about the relevance of test results. However, we know that some CPA firms use relevance as a mechanism for withholding certain testing exceptions that they deem to be irrelevant. Although this is a legitimate act when reporting under the SAS 70 standard, it prevents user entities and user auditors from having the opportunity to make their own decisions regarding the relevance and materiality of testing deviations. This practice also has the inherent risk that the CPA could erroneously conclude that a testing deviation is irrelevant when it would otherwise be deemed critically relevant by one or more report users.

Realizing that CPA firms are not clairvoyant, the AICPA has effectively declared that service auditors will no longer be permitted to hypothesize about what may, or may not, be relevant to user entities and user auditors. The practical implications of this change are two-fold. First, firms that currently use materiality and relevance in reporting testing exceptions must cease doing so when reporting in accordance with the SSAE 16 standard.

Secondly, “no exceptions noted” will most likely become the new de facto method of reporting that no testing deviations were identified by the service auditor. Report users will no longer have to wonder whether any testing deviations were withheld on the grounds of relevance.

Interestingly enough, this is one of the few significant differences between SSAE 16 and ISAE 3402, the equivalent international standard for reporting on controls at a service organization. ISAE 3402 allows service auditors to conclude that a testing deviation is an anomaly that is not representative of the population. In such cases, the service auditor may exclude anomalies from the published test results.

In its analysis of the differences between the SSAE 16 and ISAE 3402 standards (Ref. AT801.A72), the Auditing Standards Board makes it clear that it deleted this requirement from the adopted version of SSAE 16 because it was not comfortable with the potential “unintended consequences.” These unintended consequences are surely a reference to the ASB’s distaste for the “relevance” issue that currently exists in SAS 70 reporting.

In fact, the ASB specifically states that “deletion of this requirement will enhance examination quality because deviations identified by the service auditor in tests of controls involving sampling will be treated in the same manner as any other deviation identified by the practitioner, rather than as an anomaly.”

For what it’s worth, I could not agree more.

Chris Schellman is the president and founder of service audit provider SAS 70 Solutions, Inc. He has led over 600 SAS 70 audits over the past decade and spends a significant amount of time educating others on the topic. He is a former Big Four executive and maintains the designations of CPA, CISSP, CISA, CIA and PCI-QSA.


Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access