Replacing SAS 70

New standards for engagements involving outsourcing

BY JUDITH M. SHERINSKY, CPA
August 1, 2010

Guidance for CPAs who audit the financial statements of entities that outsource work to service organizations and those who report on controls at service organizations is being revamped and relocated.

 

Since 1992, Statement on Auditing Standards (SAS) no. 70, Service Organizations, has been the source of the requirements and guidance for CPAs reporting on controls at service organizations and for CPAs auditing the financial statements of entities that use service organizations to accomplish tasks that may affect their financial statements. SAS no. 70 has been divided and replaced by two new standards. One is a Statement on Standards for Attestation Engagements (SSAE) also known as an attestation standard; the other is a SAS (an auditing standard). The requirements for reporting on controls at service organizations has been placed in SSAE no. 16, Reporting on Controls at a Service Organization (see Official Releases, page 82). The requirements for auditing the financial statements of entities that use service organizations remains in the auditing standards in a new SAS, Audit Considerations Relating to an Entity Using a Service Organization.

 

Moving the requirements for CPAs reporting on controls at service organizations to the attestation standards better reflects the nature of the work being performed. SASs primarily provide guidance on reporting on an audit of financial statements, whereas the SSAEs primarily provide guidance on reporting on other subject matter. In a service auditor’s engagement, a CPA reports on a service organization’s description of its system and on a service organization’s controls that are relevant to user entities’ internal control over financial reporting. Because an examination of a description of a system and controls is not an audit of financial statements, the Auditing Standards Board (ASB) agreed that the new standard should be moved to the attestation standards. This decision also aligns with the ASB’s effort to converge its standards with those of the International Auditing and Assurance Standards Board (IAASB). SSAE no. 16 is based on the IAASB’s assurance standard (the equivalent of an attestation standard) for service auditors, International Standard on Assurance Engagements (ISAE) no. 3402, Assurance Reports on Controls at a Service Organization.

 

USING A SERVICE ORGANIZATION

Many companies function more efficiently and profitability by outsourcing certain tasks or functions to other organizations that have the personnel, expertise or equipment to accomplish the tasks. In some cases the outsourced work generates information that is included in the outsourcer’s financial statements, for example, claims expense and the related liability in the financial statements of health insurance companies. When the claims processing function is outsourced, health plan customers are instructed to submit their claims directly to the claims processor, which processes the claims based on rules established by the insurers, for example, rules related to eligibility and the amount to be paid for each service. The claims processor provides the insurers with data, such as the cost of claims processed during a period, and this information flows through to the insurers’ financial statements. Even though this information is generated by the claims processor, the insurers are responsible for the accuracy of that information because it is included in their financial statements.

 

For the auditors of the insurers’ financial statements, the responsibility for auditing the information generated by the claims processor is the same as it would be for auditing the other financial statement information generated by the insurers themselves. The auditors must find a way to obtain evidence that supports the assertions in the health insurers’ financial statements that include or are affected by the information generated by the claims processor. SSAE no. 16 identifies an entity that performs a specialized task or function for other entities as a service organization (in the prior example, the claims processor is the service organization) and the entities that outsource a task or function to a service organization as user entities (the health insurers in the example). The auditors auditing the financial statements of user entities are known as user auditors.

 

THE NEED FOR INFORMATION ABOUT THE SERVICE ORGANIZATION’S CONTROLS

Before detailing some of the changes brought about by SSAE no. 16, some background on the need for controls information in outsourcing relationships might be helpful.

 

In some cases, management of a user entity is able to monitor the quality of the data it receives from a service organization by establishing controls that enable it to prevent, or detect and correct, misstatements in its financial statements resulting from errors in the data received from a service organization. This would be the case if the user entity initiates and records the transactions it submits to the service organization for processing. For example, if management of a user entity instructs a broker-dealer to purchase or sell investments on its behalf (a directed account) and records the details of those transactions, it would be able to compare the information in the broker-dealer’s statements with its own records and with price quotes from independent sources to ensure that the transactions initiated by the user entity are accurately reflected in the broker-dealer’s statements. If the custodian of the investments is independent of the broker-dealer, management can compare the broker-dealer’s statements with the custodian’s statements to determine whether investments held at a specified date, per the broker-dealer’s statements, agree with, or can be reconciled to, investments held by the custodian at that date.

 

In other cases, the user entity relies on the service organization to initiate, execute and record the transactions. An example is a user entity that grants a broker-dealer authority to purchase and sell investments on its behalf based on written guidelines provided by the user entity (a discretionary account). In these circumstances, the broker-dealer is not required to obtain approval from the user entity before initiating each transaction because the broker-dealer has been authorized by the user entity to initiate transactions.

 

The broker-dealer usually provides the user entity with trade confirmations as well as periodic statements to inform the user entity of the transactions that have occurred, its holdings at a specified date, their value and the earnings on the investments. In that situation, all of the information provided to the user entity comes from the broker-dealer, and the user auditor may need to obtain information about the effectiveness of the broker-dealer’s controls that affect the quality and reliability of the information provided to the user entities.

 

Even though such controls are located and operating at the service organization, they are relevant to the user entity’s internal control over financial reporting because they are designed to prevent, or detect and correct, errors in the information provided to user entities. If controls at the broker-dealer are operating effectively, errors in the data provided to the user entities will be prevented, or detected and corrected, and misstatements in the user entities’ financial statements will be avoided.

 

HOW TO OBTAIN INFORMATION ABOUT A SERVICE ORGANIZATION’S CONTROLS

One approach a user auditor may take to obtain information about controls at a service organization that affect the data provided to user entities is to visit the service organization and test its controls. Theoretically this approach should work; however, when many businesses outsource to a service provider, there may also be many user auditors requesting to visit the service organization and talk to its personnel, all of which disrupts the service organization’s business.

 

To avoid this problem, a service organization may engage a CPA to report on controls at the service organization that affect the information provided to user entities and included in their financial statements. Such an engagement is commonly known as a service auditor’s engagement, and the CPA performing such an engagement is known as a service auditor.

 

Service organizations that undergo such an engagement generally provide copies of the service auditor’s report to their user entities, and the user entities provide them to their user auditors. The report enables user auditors to obtain evidence about the quality and accuracy of the information provided to the user entities. SSAE no. 16 contains the requirements and guidance for a CPA reporting on a service organization’s controls that are relevant to user entities’ internal control over financial reporting.

 

In a service auditor’s engagement, management of the service organization must provide a description of the service organization’s system that includes, among other things, the nature of the service provided to user entities, how the service is performed, the service organization’s controls over the service, and the related control objectives.

 

SSAE no. 16 enables a service auditor to issue two types of reports. In a type 1 report, the service auditor expresses an opinion on whether the description is fairly presented (that is, whether it describes what actually exists) and whether the controls included in the description are suitability designed. Controls that are suitably designed are able to achieve the related control objectives if they operate effectively. In a type 2 report, the service auditor’s report contains the same opinions as those in a type 1 report but also includes an opinion on whether the controls were operating effectively. Controls that operate effectively do achieve the control objectives they were intended to achieve. A type 2 report also includes a description of the service auditor’s tests of operating effectiveness and the results of those tests so that user auditors can determine how the results of the service auditor’s tests affect a particular user entity.

 

NEW REQUIREMENTS AND OTHER CHANGES

One new requirement in SSAE no. 16 is for the service auditor to obtain a written assertion from management of the service organization about the fairness of the presentation of the description of the service organization’s system and about the suitability of the design and, in a type 2 engagement, the operating effectiveness of the controls. That assertion will either accompany the service auditor’s report or be included in the description of the service organization’s system. In addition to the required management assertion, some of the other substantive changes introduced in SSAE no. 16 are that:

 

  • The service auditor may not use evidence obtained in prior engagements about the satisfactory operation of controls in prior periods to provide a basis for a reduction in testing, even if it is supplemented with evidence obtained during the current period.
  • The service auditor is required to identify in the description of tests of controls any tests of controls performed by internal auditors and the service auditor’s procedures with respect to that work.
  • In a type 2 engagement, the service auditor’s opinion on the description of the service organization’s system and on the suitability of the design of controls covers a period (the same period as the period covered by the service auditor’s tests of the operating effectiveness of controls). In SAS no. 70, the opinion on the description and on the suitability of the design of controls in a type 2 report is as of a specified date, rather than for a period.
  • The service auditor’s examination report must contain the report elements identified in paragraph .85 of AT section 101. (These report elements are tailored to a service auditor’s engagement in paragraphs 52 and 53 of SSAE no. 16.)

 

NEW SAS FOR USER AUDITORS

The new SAS for user auditors finalized in May expands on how a user auditor audits the financial statements of a user entity to enable the user auditor to fulfill two important requirements of the risk assessment standards: (1) to obtain an understanding of the entity, including its internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement and (2) to design and perform further audit procedures responsive to those risks. It is based on the IAASB’s International Standard on Auditing no. 402. The effective date of the SAS is for audits of financial statements for periods ending on or after Dec. 15, 2012.

 

TIMING OF THE CHANGES

SSAE no. 16 will take effect before the new SAS for user auditors (the SSAE is effective for service auditor’s reports for periods ending on or after June 15, 2011); therefore, there will be a period when the guidance for service auditors in AU section 324 is superseded but the guidance for user auditors in AU section 324 is still effective. AU section 324 will not be updated until both the new SAS and SSAE no. 16 take effect. That decision was made because the guidance for service auditors and for user auditors in AU section 324 is so intertwined that, if the guidance for service auditors were deleted, the guidance for user auditors would no longer be meaningful.

 

Until the new SAS takes effect, user auditors should use the guidance currently in AU section 324. A notation will be placed at the beginning of AU section 324 informing readers that the guidance for service auditors has been superseded by SSAE no. 16. The new SAS does not contain any significant changes for user auditors. When the new SAS becomes effective, it will replace the guidance for user auditors currently in AU section 324. (The guidance for service auditors will be in the attestation standards in SSAE no. 16.)

 

HOW TO REPORT ON CONTROLS OVER MATTERS OTHER THAN FINANCIAL REPORTING

In the past, many CPAs used SAS no. 70 to report on controls at a service organization that are unrelated to user entities’ internal control over financial reporting, for example, controls over the privacy of customers’ information. However, SAS no. 70 is not applicable to examinations of controls over subject matter other than financial reporting, and neither is SSAE no. 16.

 

There is increasing demand for reports on controls over subject matter other than financial reporting. For example, many user entities are required by law or regulation to maintain the privacy of the information they collect from customers, including the privacy of that information when it is at a service organization. To address these requirements, management of the user entity may ask the service organization for a CPA’s report on the effectiveness of its controls over the privacy of the information it processes for user entities.

 

If a CPA is engaged to examine and issue a report on controls over subject matter other than financial reporting, such an engagement should be performed under AT section 101, Attest Engagements, of the attestation standards, but not under SSAE no. 16 (nor under SAS no. 70).

 

The increasing use of cloud computing facilities, which provide user entities with on-demand network access to a shared pool of computing resources, such as networks, servers, storage, applications and services, has created an increased demand for reports by CPAs on controls over subject matter other than financial reporting at cloud computing facilities. A special task force of the AICPA Assurance Services Executive Committee is developing a new guide Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, that will specifically address such engagements, which are performed under AT section 101. That guide is expected to be available in early 2011.

 

TRANSITIONING

Most service auditors believe that new SSAE no. 16 and the related user auditor SAS will not significantly change practice. Up until the issuance of ISAE no. 3402, the international auditing and assurance standards contained an ISA for user auditors but did not contain a standard for service auditors performing a service auditor’s engagement. Many aspects of new ISAE no. 3402 are based on SAS no. 70 as well as the more detailed implementation guidance in the related AICPA Audit Guide, Service Organizations, Applying SAS No. 70. Once CPAs who are familiar with the existing service organization standards become familiar with the geography of the new standards (user auditor guidance in the SASs, service auditor guidance in the SSAEs), it is likely that the transition will not be difficult.

 

 

 

Misconceptions About SAS 70

A popular misunderstanding about SAS no. 70 is that a service organization becomes “SAS 70 certified” after undergoing a type 1 or type 2 engagement. However, no such certification exists nor will it exist under SSAE no. 16.

 

An SSAE 16 report (as with a SAS 70 report) is primarily an auditor-to-auditor communication, designed to provide user auditors with detailed information about controls at a service organization that affect the information provided to user entities. All service auditors’ reports include a detailed description of the service organization’s system, and a type 2 report includes a detailed description of tests of controls performed by the service auditor and the results of those tests. The user auditor reads this detailed information to determine how the service organization’s system generates information and how the service organization interacts with the user entity’s financial reporting system, including how the information gets incorporated into the user entity’s financial statements. Such information generally is lengthy and detailed and could not be communicated via a certification.

 

Use of an SSAE 16 report, like a SAS 70 report, is restricted by the service auditor to only the service organization client, user entities and user auditors. Therefore, an SSAE 16 report is not a general use report and, as such, should not be used by anyone other than the specified parties named in the restricted use paragraph.

 

 

EXECUTIVE SUMMARY

 

  As part of the Auditing Standards Board’s efforts to converge U.S. and international standards, SAS no. 70 is being divided into parts and replaced by two new standards. The changes also place the standards in areas that better reflect the nature of the subject matter and the work performed.

 

  SSAE no. 16, Reporting on Controls at a Service Organization, is based on International Standard on Assurance Engagements no. 3402, Assurance Reports on Controls at a Service Organization. It is effective for reports for periods ending on or after June 15, 2011. Earlier implementation is permitted.

 

  One new requirement in SSAE no. 16 is for the service auditor to obtain a written assertion from the service organization’s management about the fairness of the presentation of the description of its system and about the suitability of the design and, in a type 2 engagement, the operating effectiveness of the controls.

 

  In May, the ASB finalized a new SAS for user auditors, Audit Considerations Relating to an Entity Using a Service Organization , that is based on the IAASB’s International Standard on Auditing no. 402. It expands on how an auditor audits the financial statements of an entity that outsources tasks that affect its financial statements to enable the auditor to fulfill two requirements of the risk assessment standards: obtaining an understanding of the entity, including its internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement, and designing and performing further audit procedures responsive to those risks.

 

  Requirements for CPAs examining and issuing reports on controls over subject matter other than financial reporting are housed in AT section 101, Attest Engagements, of the attestation standards, not under SSAE no. 16 (nor under SAS no. 70). The AICPA is developing a new guide that addresses reporting on a service provider’s controls over subject matter other than financial reporting.

 

Judith M. Sherinsky (jsherinsky@aicpa.org) is a technical manager, audit and attest standards, for the AICPA.

 

To comment on this article or to suggest an idea for another article, contact Kim Nilsen, JofA editorial director, at knilsen@aicpa.org or 919-402-4048.

 

 

AICPA RESOURCES

 

Archived webcast

“SAS 70 the Next Generation: Planning for the New Service Organization Standards” (#780225)

 

Websites

Read a summary of SSAE no. 16 at tinyurl.com/29p6nx3 and a frequently asked questions document at tinyurl.com/36mxc23.

 

Publications

  • To help CPAs make the transition from SAS no. 70 to SSAE no. 16, a task force of the ASB is revising the existing Audit Guide Service Organizations: Applying SAS No. 70, as Amended (the SAS 70 guide) to reflect the requirements and guidance in SSAE no. 16. The revised guide is expected to be available for sale in early 2011.
  • The Audit Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy will address reporting on a service provider’s controls over subject matter other than financial reporting. It is slated for release in early 2011.

 

For more information or to make a purchase, go to cpa2biz.com or call the Institute at 888-777-7077.

 

On-Site Training

Annual Update for Accountants and Auditors (#AUAA)

 

To access courses, go to aicpalearning.org and click on “On-Site Training” then search by “Acronym Index.” If you need assistance, please contact a training representative at 800-634-6780 (option 1).

 

More from the JofA:

 

 Find us on Facebook      Follow us on Twitter

 

PROFESSIONAL DEVELOPMENT: EARLY CAREER

Making manager: The key to accelerating your career

Being promoted to manager is a key development in a young public accountant’s career. Here’s what CPAs need to learn to land that promotion.

PROFESSIONAL DEVELOPMENT: MIDDLE CAREER

Motivation and preparation can pave the path to CFO

CPAs in business and industry face intense competition to land a coveted CFO job. Learn how to best prepare yourself for the role.

PROFESSIONAL DEVELOPMENT: LATE CAREER

Second act: Consulting

CPAs are using experience to carve out late-career niches. Learn how to successfully make a late-career transition to consulting, from CPAs who have done it.