SAS70 to SSAE16

The transition date of SAS70 to SSAE16 was June 15, 2011 and the new SSAE 16 requirements supersede the SAS 70 auditing standards for independent examination of and reporting on controls at service organizations. The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) has put forth the Statement on Standards for Attestation Engagements (SSAE), number 16, requiring service organization to report additional information regarding their internal controls. The term SAS 70 which so many of us are familiar with will be replaced with SSAE 16, a new term which will be with us for a long time just as SAS 70 did.

New Requirements

With the transition of SAS70 to SSAE16, there are fundamentally two new requirements for reporting controls at service organizations which should enhance the scope of information provided and service auditor attestation on the design and operating effectiveness of controls at service organizations. These two new SSAE 16 requirements include additional information to be provided by the service organization management regarding 1) description of its "system", and 2) written management assertions.

What is a "system"?

The term "system" under SSAE 16 is referred to as the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. SAS 70 required a description of controls while SSAE 16 requires a description of the organization’s system which includes services provided, classes of transactions, manual and automated procedures, internal reporting, control objectives, control activities, and control elements per the COSO framework.

Written Management Assertion

Another important requirement arising from the transition of SAS70 to SSAE16 is a written assertion by management which is a formal statement by management asserting a number of items including management’s description of its system implemented at a specific date (Type 1) or over a period of time (Type 2) designed and operating effectively to achieve its control objectives, and, criteria used for assessing risks and related control objectives.

SSAE 16 Auditor Reports

The SSAE 16 audit reports include Type 1 and Type 2 reports. Type 1 will report on service organization’s management description of its system and control design, and Type 2 will additionally report on operating effectiveness of its controls.

Why Change from SAS 70 to SSAE 16

Although SAS 70 has been a globally recognized and accepted standard which has been amended a few times since 1992, the ASB has recognized the need for improving and aligning current SAS 70 standards with international standards (ISAE 3402) for reporting service organization controls. Such transition from SAS 70 to SSAE 16 requirements has been recognized due to the increase in Global service outsourcing, increased regulations and interest in internal controls (e.g. SOX 404) and reliance on SAS 70 reports. The International Standard on Assurance Engagements (ISAE), number 3402, developed by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC) is the new globally accepted standard for third party reporting on service organization controls which SSAE is attempting to align with.

Internal Audit Role

SSAE 16 states that if a service organization under a SSAE 16 attest examination has an internal audit group and staff, internal auditor (s) can be utilized for the examination, however, their objectivity and competency must be evaluated and their work must be supervised and reviewed by independent service auditors.

Read other business articles after learning about the transition of SAS70 to SSAE16.