Publications
04.19.11
"Changing Standards for Service Organizations"
Increasingly, it has become more common for organizations to outsource to a third party business certain functions or business processes. In today’s marketplace, with much discussion about cloud computing and software as a service, it appears that this trend will increase outsourcing opportunities.
When an organization decides to outsource core business process to a third party, often times the risks of the service organization become the risks of the user entity. Management at user entities should consider how best to manage these risks as part of their outsourcing decision. For purposes of this discussion, “user entity” can be defined as an entity that has engaged a third party (service organization) to perform various services that are often a part of the user entity’s information system.
Since 1992, Statement on Auditing Standards No. 70 (SAS 70) has served as the industry standard for reporting on internal controls at service organizations. In the last 12 months, the International Auditing and Assurance Board (IASB) and the Auditing Standards Board (ASB) in the United States have undertaken an effort to develop a new standard as part of the accounting industry’s effort to more closely align global auditing standards.
The result of these efforts is the recently released Statement on Standards for Attestation Engagements No. 16 (SSAE 16) that was introduced in April 2010, which is effective for reports dated on or after June 15, 2011. The new standard aligns with International Standard on Assurance Engagements (ISAE) 3402 - the international standard for controls at a third party service organization.
SAS 70 vs. SSAE 16 - What has changed?
There are a number of changes that SSAE 16 introduces. The table below summarizes the more notable changes:
| Topic | SAS 70 | SSAE 16 |
| Management Assertion | Not required | The service auditor must obtain a written assertion from management of the service organization. This assertion addresses the fairness of the presentation of the description of the service organization’s system and about the suitability of the design and, in a Type II engagement, the operating effectiveness of the controls. |
| Auditor’s Opinion | The opinion on the description and on the suitability of the design of controls in a Type II report was as of a specified date. | In a Type II engagement, the service auditor’s opinion on the description of the service organization’s system and on the suitability of the design of controls covers a period (the same period as the period covered by the service auditor’s tests of the operating effectiveness of controls). |
| Sub-Service Organizations Assertion | If a service organization desired to include the control description of those controls in place at a sub service organization in of their report, they were not required to obtain a management assertion from the sub service organization. | If management desires to include the control descriptions for controls in place at a sub service organization, that sub service organization must now also provide an assertion about the fairness of presentation of the description of the system and about the suitability of the design and operating effectiveness (Type II) of the controls that are included in managements description of controls. |
Understanding the Scope and Purpose of SAS 70 and SSAE 16
A very common misconception about SAS 70 is that a service organization can become “SAS 70 certified.” In fact, no such certification exists under either the old standard or the new SSAE 16 standard.
A report issued under SSAE 16 (either a Type I or II report), or SAS 70 for that matter, is a report intended for the use of a user entity auditor and the user entity in understanding and evaluating the internal controls at a service organization. The service auditor’s reports include a detailed description of the service organization’s system (Type I and Type II), and a Type II report also includes a detailed description of tests of controls performed by the service auditor and the results of those tests. This information can be used to determine how the service organization’s system generates information and how the service organization interacts with the user entity’s financial reporting system, including how the information gets incorporated into the user entity’s financial statements.
One thing that has not changed under the new standard is the restricted use of the service auditor’s report. Under either SSAE 16 or SAS 70, the service auditor’s report is restricted to only the service organization client, user entities and user auditors. Therefore, an SSAE 16 report is not a general use report and, as such, should not be used by anyone other than the specified parties named in the restricted use paragraph.
In the past, many CPAs and service organizations used a SAS 70 to report on controls at a service organization that are unrelated to user entities’ internal controls over financial reporting, for example, controls over the privacy of customers’ information. SSAE 16 is not applicable to examinations of controls over subject matter other than financial reporting.
As noted above, with the advent of ever increasing technological changes in the marketplace as well as increased regulatory oversight, there has been increasing demand for reports on controls over subject matter other than financial reporting. In an effort to help CPA’s meet the changing needs of organizations The American Institute of Certified Public Accountants (AICPA) has established a framework to assist CPA’s in examining controls and to help management understand the related risks. The AICPA established three Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC 3 reports). The table below provides a high-level summary of the new framework and potential applications and uses of the new reports.
| Topic | SOC 1 Report | SOC 2 Report | SOC 3 Report |
| Authoritative Guidance | SSAE 16 |
Attestation Standard 101 AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy as well as the criteria defined in Trust Services Principles, Criteria and Illustrations. |
Attestation Standard 101 AICPA Technical Practice Aid, Trust Services Principles, Criteria and Illustrations |
| Restricted Use Report | Yes | Yes | No |
| Purpose of Report | Report on controls of Financial statement audits | Reports on controls related to compliance or operations | Reports on controls related to compliance or operations |
| Applicability | Reports on controls at a service organization relevant to user entities internal control over financial reporting. | Reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy | Similar to a SOC 2 report, but the SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). It also permits the service organization to use the SOC 3 Report and Systrust for Service Organization’s Seal on its website. |
Argy, Wiltse & Robinson, PC is a full service public accounting firm headquartered in McLean, Virginia with expertise in assisting companies in evaluating their current and planned third party assurance needs, like those described above. Please call us at 703.893.0600 if you need assistance.
© 2012 Argy, Wiltse & Robinson, P.C., All Rights Reserved