presents
Mastering SAS 70 Audit Reports
for Service Organizations
presents
for Service Organizations
Evaluating Internal Controls Issues With Type I and Type II Reports
A Live 110-Minute Teleconference/Webinar with Interactive Q&A
Today's panel features:
Mark Agulnik, Senior Manager, Assurance Services,
MarcumRachlin
, Fort Lauderdale, Fla.
Eric Wright, Technology Shareholder,
Schneider Downs
, Pittsburgh
Scott Price, Director,
A-lign CPAs
, Tampa, Fla.
Steve Thompson, Shareholder,
p
,
,
Schneider Downs
, Pittsburgh
,
g
Powell Jones, Business Advisory Services Manager,
Grant Thornton
, Atlanta
Wednesday, June 16, 2010
The conference begins at:
The conference begins at:
1 pm Eastern
12 pm Central
11 am Mountain
10 am Pacific
10 am Pacific
www.aligncpa.com
The 21
stCentury Version of SAS 70…..SSAE 16
Overview of the Standard
In April 2010, the AICPA Auditing Standards Board issued the long awaited Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. The
attestation standard was chosen as a result of CPAs providing attestations on subject matter other than the fairness of the presentation of financial statements. The effective date for SSAE 16 is June 15, 2011; however, earlier implementation is permitted.
Similar to SAS 70, there remain two types of SSAE 16 audits. A Type 1 report is known as a report on management’s description of a service organization’s system and the suitability of the design of controls. A Type 2 report is a report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.
Management will be called upon to describe their service organization’s system in the report. The description will need to include detail such as the processes describing how transactions are processed and reported to user organizations, the specified control objectives and controls designed to achieve those objectives, along with additional aspects of internal control such as control environment, risk assessment, information and communication systems, control activities and monitoring controls. In the case of a Type 2 report, management should include relevant details of changes to the service
organization’s system during the period covered by the description.
Furthermore, management will need to provide the auditor with a written assertion to be included in the service auditor’s report. The written assertion should state the following:
Management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date (or for a Type 2 – throughout the specified period);
The controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives as of the specified date (or for a Type 2 – throughout the specified period);
The controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives (Type 2 only).
With the new SSAE 16, the service auditor will now make an attestation on these management assertions. The service auditor will assess whether management has used suitable criteria:
In preparing its description of the service organization’s system;
In evaluating whether controls were suitably designed to achieve the control objectives stated in the description; and
In the case of a Type 2 report, in evaluating whether controls operated effectively throughout the specified period to achieve the control objectives stated in the description of the service
Key Differences from the SAS 70 Audit Standard
While at first look the new SSAE 16 standard and the old SAS 70 standard may appear to be very similar, there are significant differences. The first of which is the auditor’s opinion letter. The SAS 70 auditor’s opinion was a direct reporting opinion where the auditor directly reported on the fairness of the description of controls, design of the control activities to meet the objectives, and whether the controls were placed in operation and their operating effectiveness. In the SSAE 16 standard, auditors are attesting to
management’s assertion as noted above.
The service auditor now has responsibility for determining whether management has used suitable criteria in preparing its description of the service organization’s system. The service auditor will need to understand the criteria and process management has performed to develop their assertion.
In the case of a Type 2 report, the SAS 70 audit standard did not notate the portion of testing that was performed by internal audit and that which was performed by the service auditor. The SSAE 16 standard has reversed that stance and now the service auditor will disclose in a Type 2 report those tests that were performed by the client’s internal audit department and the description of the procedures the service auditor performed with respect to that work.
How do I prepare for SSAE 16?
Service organizations need to perform an analysis of their current SAS 70 audit description of controls to identify gaps in the description needed to satisfy SSAE 16 requirements. SSAE 16 requires the service organization to develop a description of the service organization’s system. The service auditor will examine the description of the service organization’s system to ensure it is fairly presented and ask questions regarding the description such as:
Does management’s description address all major aspects of the service provided and includes in the scope of the engagement?
Is the description prepared at a level of detail that could reasonably be expected to provide a broad range of user auditors with sufficient information to obtain an understanding of the internal control structure?
After the description of systems has been drafted, the service organization needs to identify the control objectives and the risks that threaten the achievement of the control objectives stated in the description. The service organization also needs to design suitable controls that are operating effectively and provide reasonable assurance that the control objectives will be achieved.
Service organizations should begin to develop their assertions which will be included in the service auditor’s report. In addition, management should consider if any sub-service organizations need to develop assertions. Vendors who may not be sub-service organizations but have an impact on the service organization’s internal control structure should also be examined to determine if current
contractual requirements to provide the service organization with a SAS 70 report should be updated for SSAE 16.
www.aligncpa.com
SSAE 16 is not for Cloud Computing
The AICPA is fully aware of the increased use of cloud computing companies and the need for assurance in the cloud computing arena. Neither SSAE 16 nor SAS 70 should be used to assess controls of cloud computing companies. The AICPA has created a special task force of the Assurance Services Executive Committee to write a new guide which will address such engagements which are performed under AT section 101. AT Section 101 allows for CPAs to perform attestation engagements under this standard when another applicable standard does not apply.
Service organizations should have discussions with their auditors or obtain consultation regarding the new SSAE 16 standard to ensure their compliance efforts are brought into the 21st century.
Scott G. Price, CPA, CFF, CISA, CIA, Director – A-lign CPAs
About the Author
Scott Price is a director at A-lign with over 12 years of experience providing risk advisory services
including SAS 70 and internal audits, business process reviews, and regulatory compliance assessments. Scott is a Certified Public Accountant, Certified in Financial Forensics, Certified Information Systems Auditor and Certified Internal Auditor.
References:
SSAE 16: Reporting on Controls at a Service Organization
R
ecently, President Obama signed into law a major bill designed to create jobs, restore economic growth and strengthen America’s middle class. The new act, called the American Recovery and Reinvestment Act (or the Stimulus Act), contains $787 billion in spending programs, including nearly $300 billion in tax relief.Following is a summary of the important tax provisions for individuals. Although many of the provisions are retroactive to January 1, 2009, they are also subject to phase-outs at higher income levels.
Refundable Making Work Pay Credit.
The act establishes the new Making Work Pay credit for 2009 and 2010. The credit amount equals the lesser of 6.2% of earned income or $400 ($800 for a married joint-filing couple). Since the credit is refundable, it can offset your entire federal income tax liability. The credit is subject to phase-out based upon Modified Adjusted Gross Income (MAGI).
One-time $250 Economic Recovery Payment for Eligible Federal Program Recipients.The new law provides a one-time $250 Economic Recovery Payment to certain government program recipients.
Temporary Sales Tax Deduction for Buyers of New Vehicles and Motor Homes.The new law adds a deduction for state and local sales and excise taxes paid on new (1) passenger autos and light trucks with gross vehicle weight ratings of 8,500 pounds or less; (2) motorcycles; and (3) motor homes purchased between 2/17/09 and 12/31/09. The deduction is limited to taxes allocable to the first $49,500 of the purchase price. The new standard deduction add-on or additional itemized deduction is subject to phase-out provisions.
Liberalized Higher Education Credit.For 2009 and 2010, the Stimulus Act includes taxpayer-friendly modifications to the Hope Scholarship higher education tax credit. The modified Hope credit equals 100% of the first $2,000 of qualified
post-secondary education expenses
SAS 70 May Offer Marketing Advantage
I
n difficult economic times, it is imperative to distinguish your company from the competition. For service organizations, such as a payroll service provider, third party administrator, bank, data center, credit processing company or clearing house, obtaining a report on your internal controls (a SAS 70 report) from an independent Certified Public Accountant could be such a method.Statement on Auditing Standards (SAS) No. 70 (SAS 70), as amended, Service Organizations, (AU Section 324) establishes standards and provides guidance to auditors reporting on a service organization’s internal controls specifically relating to the service(s) being provided. There are two types of SAS 70 reports, “Report on Controls Placed in Operation” (a Type 1 SAS 70) and “Report on Controls Placed in Operation and Tests of Operating Effectiveness” (a Type 2 SAS 70). A user auditor may use a Type 1 SAS 70 report to obtain an understanding of the controls necessary to assess the risk of material misstatement. In addition to using a Type 2 SAS 70 report to obtain an understanding of controls, a user auditor may use the report to reduce his or her assessments of control risk to low or moderate.
Customers appreciate the value of SAS 70. The report may demonstrate that the service organization has integrity, providing customers comfort in the services obtained. In addition, the report can offer potential marketing benefits. A payroll service provider, for example, requested
noticing that one of the factors a potential customer used in selecting a payroll processing provider was whether the company had a SAS 70 report. Now, as part of its marketing strategy, the company actively promotes the fact that it has a current SAS 70 report. The company believes that the investment in the voluntary audit will ultimately improve its income and market share.
Historically, primarily large service organ-izations obtained SAS 70 reports. However, as a result of the involvement of independent auditors in internal controls, more auditors of public companies who use service organizations are requiring those service organizations to obtain SAS 70 reports. This has resulted in smaller service organizations obtaining SAS 70 reports. Recently, for example, a bill payment processing client requested a SAS 70 on its internal controls because its main customer, a public company, required a SAS 70 report for its service providers. Requiring that vendors provide a SAS 70 report may also reduce a company’s audit fees, to the extent the auditor can use the report to reduce audit procedures.
Obtaining a SAS 70 report is a great method for a service organization to advertise its services and distinguish itself from its competitors. A company that actively promotes the fact that it has a SAS 70 report may actually see an increase in its bottom line— even during difficult economic times.
Mark Agulnik is a Senior
