Attestation


The AICPA issued Technical Practice Aids (TPAs) 9520.12–.26 to provide nonauthoritative guidance regarding Statement on Standards for Attestation Engagements (SSAE) no. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801).
 
The TPAs provide guidance for service auditors reporting on controls at a service organization relevant to user entities’ internal control over financial reporting (ICFR), and also to user auditors who audit the financial statements of entities that use a service organization. SSAE no. 16 supersedes the guidance for service auditors that is in Statement on Auditing Standards no. 70, Service Organizations (AICPA, Professional Standards, AU sec. 324). The guidance for user auditors will remain in the auditing standards.
 
The TPAs cover topics including the effect of moving the guidance for service auditors from the auditing standards to the attestation standards, the changes introduced by SSAE no. 16, the content of management’s assertion, determining whether an outside CPA firm that performs significant accounting and financial reporting processes and controls for a user entity is a service organization, and reporting on a service auditor’s engagement under both SSAE no. 16 and International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization.
 
In addition, TIS section 9530, Service Organization Controls (SOC) Reports, in AICPA Technical Practice Aids was issued to include TPAs 9530.01–.22 to provide nonauthoritative guidance on reporting on controls at a service organization relevant to subject matter other than user entities’ ICFR, specifically controls at a service organization relevant to the security, availability or processing integrity of a system or the confidentiality or privacy of the information the system processes. This engagement uses the Trust Services criteria to evaluate the attributes of a system. These TPAs provide information about and differentiate the three SOC engagements included in the SOC report series (SOC 1 for SSAE no. 16 engagements, and SOC 2 and SOC 3 for reporting on controls over the attributes of a system using the Trust Services criteria).

The TPAs provide information about the source of the guidance for performing and reporting on these engagements, and the authority of the new SOC 1 and SOC 2 guides. The section also includes a table that (1) identifies a variety of attestation engagements that involve reporting on controls and (2) the appropriate attestation standard or interpretive guidance to be used in the circumstances.

Recently issued TPAs are available at tinyurl.com/3so64k8.

More from the JofA:

 Find us on Facebook  |   Follow us on Twitter  |   View JofA videos

SPONSORED REPORT

CPEOs provide peace of mind around payroll services

The creation of these new IRS-certified service providers for small businesses clarifies some issues around traditional professional employer organizations.

QUIZ

8 sentences to help you master subject-verb agreement

When professionals prepare written material for readers inside their organization or outside, they should make sure that no errors distract from the message they need to convey. Take this short quiz for practice in subject-verb agreement.