The AICPA issued Technical Practice Aids (TPAs) 9520.12–.26 to provide nonauthoritative guidance regarding Statement on Standards for Attestation Engagements (SSAE) no. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801).
The TPAs provide guidance for service auditors reporting on controls at a service organization relevant to user entities’ internal control over financial reporting (ICFR), and also to user auditors who audit the financial statements of entities that use a service organization. SSAE no. 16 supersedes the guidance for service auditors that is in Statement on Auditing Standards no. 70, Service Organizations (AICPA, Professional Standards, AU sec. 324). The guidance for user auditors will remain in the auditing standards.
The TPAs cover topics including the effect of moving the guidance for service auditors from the auditing standards to the attestation standards, the changes introduced by SSAE no. 16, the content of management’s assertion, determining whether an outside CPA firm that performs significant accounting and financial reporting processes and controls for a user entity is a service organization, and reporting on a service auditor’s engagement under both SSAE no. 16 and International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization.
TPAs 9520.01–.11 replace TIS section 9520, Service Organization Standards and Implementation Guidance, in AICPA Technical Practice Aids. The section is now titled SSAE No. 16, Reporting on Controls at a Service Organization.
In addition, TIS section 9530, Service Organization Controls (SOC) Reports, in AICPA Technical Practice Aids was issued to include TPAs 9530.01–.22 to provide nonauthoritative guidance on reporting on controls at a service organization relevant to subject matter other than user entities’ ICFR, specifically controls at a service organization relevant to the security, availability or processing integrity of a system or the confidentiality or privacy of the information the system processes. This engagement uses the Trust Services criteria to evaluate a system’s attributes. These TPAs provide information about and differentiate the three service organization controls (SOC) engagements included in the SOC report series (SOC 1 for SSAE no. 16 engagements; SOC 2 and SOC 3 for reporting on controls over the attributes of a system using the Trust Services criteria).
The TPAs provide information about the source of the guidance for performing and reporting on these engagements, and the authority of the new SOC 1 and SOC 2 guides. The section also includes a table that (1) identifies a variety of attestation engagements that involve reporting on controls and (2) the appropriate attestation standard or interpretive guidance to be used in the circumstances.
More from the JofA: