SAS 70 Reports: New Standards Will Bring Changes
September 22, 2010
Pietra Buelow, Director – General Business Consulting
The American Institute of Certified Public Accountants (AICPA) and the International Auditing and Assurance Standards Board (IAASB) recently issued new standards for an auditor’s report on the controls of a service organization, commonly referred to as a “SAS 70” report.
The New Standards: SSAE 16 and ISAE 3402
Beginning with reporting periods ending on or after June 15, 2011, “SAS 70” reports will be performed in accordance with one of the following new standards:
- Within the United States: Statement on Standards for Attestation Engagements No.16 (SSAE 16), Reporting on Controls at a Service Organization.
- Internationally: International Standards on Attestation Engagements No. 3402 (ISAE 3402), Assurance Reports on Controls at a Service Organization.
In the United States, the SSAE 16 standard will supersede SAS 70. It is expected to be the standard favored by service organizations whose customers are primarily U.S.-based. Service organizations with global customers may opt to use SSAE 16, but may decide that ISAE 3402 would provide a greater benefit to their customers. Either standard may be adopted earlier than the June 2011 effective date; however, early adoption in the U.S. is not expected to be widespread.
A SSAE 16 or ISAE 3402 examination will focus on a user entity’s internal control as it relates to financial reporting. Under the new standards, there will continue to be two types of reports:
- Type 1: The service auditor reports on the fairness of the management’s description of the service organization’s system and the suitability of the design of the controls used to achieve the control objectives set forth in the description as of a specified date.
- Type 2: The service auditor reports on the fairness of the management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls used to achieve the control objectives set forth in the description throughout a specified period.
Under the new standards, a service auditor’s opinion will still be based on overall objectives similar to those of SAS 70.
Changes Introduced by the New Standards
In general, differences between the two new standards are subtle, but each incorporates a number of modifications and changes.
Both standards require a “management assertion” section (in both Type 1 and Type 2 reports). This means that management will need to provide a written assertion in the body of the report about the subject matter of the engagement, including the fair presentation of the description of its system, the suitability of the design of the controls, and (in the case of a Type 2 report) the operating effectiveness of the controls.
For example, for a Type 2 engagement, the service auditor would obtain a written assertion by management about whether in all material respects, and based on suitable criteria:
- management’s description of the service organization’s system fairly presents the system that was designed and implemented throughout the specified period
- the controls related to the control objectives stated in management’s description were suitably designed throughout the specified period to achieve those control objectives, and
- the controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives.
Management also must specify the criteria that it uses to prepare the description of its system. The service auditor will assess whether these criteria meet the minimum requirements of the standards—a determining factor as to whether an examination will yield a Type 1 or Type 2 report.
The new standards introduce a number of other changes. For example, SAS 70 Type 2 reports allowed service auditors to opine on control design as of a specified date in time, but the new standards require an opinion that considers the design throughout the specified period. Type 1 reports, however, do not have this requirement; service auditors may continue to opine as of a specific date.
Do not worry about complying with these new requirements. Although the management assertion may require some extra time, your examination under the new standards should not differ significantly from the current SAS 70 examination process. Your team at Frank Rimerman will help you through the process.
For more information, contact Pietra Buelow, Director of Frank, Rimerman’s general business consulting group.
Download SAS 70 Reports: New Standards Will Bring Changes – September 22, 2010 Article