SAS 70 -> SSAE 16 – What does it impact?

As you probably know, there is a new specification for the security audit. It
was [SAS 70](, but is now [SSAE 16]( This is an important consideration if you are consuming a service from someone else, or if you provide a service to someone. Somewhere in that mix, if you have auditors, you are going to run into the new SSAE 16.If you need to prepare for a first audit or prepare for a transition to the new
specification, there are new requirements and impacts from the change.

## Who cares
Anyone who has to undergo a SAS 70 audit, which was superseded on June 15, 2011. SSAE 16 is now in force. If you provide services to your customers, and your customers include publicly-traded companies registered with the SEC, you are open to audit compliance requirements. If you are consuming services, you should ask that provider for their auditor’s report, and that will be a SSAE 16 report for newly run audits.

## SSAE 16
Independent Service Auditor’s Report on a Description of a Service Organizations’ System and Suitability of the Design of Controls…using the American Institute of CPAs (AICPA).

SSAE 16 = Statement on Standards for Attestation Engagements 16.

## Application domain
Payroll processing, accounting, benefits administration, SaaS all are subject to these auditing requirements.

If the company’s services affect the financial statements of a customer, or they are publicly traded, then the service company can potentially be a weakness in their financial controls, so subject to audit.

## Assessment Rationale
Dropping the E-bomb…Enron and other accounting scandals.

Sarbanes-Oxley (SOX) Act passed in response.

* Holds officers responsible for fair, complete financial statements.
* Financial statements rely on *internal controls* – including communications, IT controls, change controls, etc. These controls or processes must meet objectives.
* Officers must evaluate their controls and report deficiencies.

Without the audit, how could a company vouch for its service organization’s controls? They could

* audit controls of every service organization
* take charge of controls for every service organization
* state that the service organizations’ controls are unknown
* admit a weakness in controls

But how would public companies control the control of other comapanies? Do scores of audits? And how would the service organization respond to all of these audits and still perform services?

So the solution is to provide *one* audit and pass that out to any required customer’s request. This allows for verification and reliable reporting about the service company controls for the publicly traded SOX complying organization. The publicly traded company can receive an *auditor-to-auditor* report on service organization controls. They can confidently use the report as part of their own audit of controls.

## New characteristics
1. Management attestation – not an audit standard, but an attest standard. Now the company’s management must *attest* in writing about the fair presentation and design of controls. SAS 70 was an *audit* standard, did not require the company’s management to attest in the report. Only the auditors attested, management provided a representation letter, which was *not* included in the audit report. Management will describe the company’s service delivery system controls and control objectives. They will attest in writing: that the system description fairly represents the controls in place, that the described controls are suitably designed to meet their objectives, and if it’s a Type II assessment, that the controls operated effectively. The auditors will examine the controls to form their own opinion, which they will report in the audit report. The attestation holds the management directly accountable.
2. Suitable criteria for evaluation – Management must use suitable criteria for evaluating the company’s service delivery system, specify in the attestation, which criteria were used, and use criteria from a widely recognized standard, or criteria developed with a reasonable level of rigor, i.e., objective, measurable, complete, relevant. Standards depend on the type of service – [ITIL](, COSO, [COBIT](, [ISO](, etc. THe suitability of the standard employed is a judgement call.
3. Evidence from prior engagements *disallowed* – auditors gather evidence for each internal control being assessed. Under SAS 70, auditors could use evidence gathered in prior audits to save time. SSAE 16 prohibits such use of prior evidence. Assessments may not take more time than before.
4. Disclosure of reliance on internal auditors – Under SAS 70, auditors could rely on the internal auditor’s tests of controls. Disclosure of such reliance was *not* required. SSAE 16 requires full disclose of reliance on internal audits and the company will need to provide a detailed description of the internal audit activities, processes, tools and conclusions.
5. Restrictions on report use – SAS 70 restricted the use of the audit report to company management, customers, and financial statement auditors. SSAE 16 narrows the restrictions regarding customers to customers at the time of the report date for a Type I report, and for a Type II to customers during the report period. This is basically stopping the report being used for anyone who happens to be a customer to more narrow focus of customers in scope of time of the report.
6. Included vs. excluded subservice providers – The service organization may rely on subservice organizations. If so, choices remain the same as under SAS 70. So there in an inclusive method or a carve-out method, but this does not include their controls in your audit under carve-out but does under inclusive. Inclusive Method choice, under SSAE-16, now requires subservice organization’s management to write their own attestation, which is included in the super-organization’s assessment. This is a judgement call which method to use, and may be a customer driven requirement.
## Unchanged characteristics
1. Scope of the assessment – service organization decides which controls are pertinent to service delivery, but customers need to agree with the scope decision. Scope clues can be had by reviewing the service contract.
2. System description – SSAE 16 relies on management’s written description of system, controls, objectives the controls are designed to meet. For each objective, the activities must be described for each control. Auditors collect evidence for each activity claim.
3. Type I and Type II reports – Type I is *point in time*, while Type II covers a *stated time period*. Type I assesses whether controls are fairly and completely described and adequately designed to meet their objectives at the stated point in time (report date). Type II goes further by assessing whether the controls are *operating effectively* over the stated time period, and is not an *as-of* report issue date. Type II involves real testing and is the kind of report to go for if you are consuming a service.
4. Basic Format of the Audit Report – contains an auditor’s opinion letter, system and controls description including control environment, risk assessment and management, information and communication systems, general controls, application controls and monitoring procedures. It also includes user control considerations (what is the user responsible for) and any other relevant information.
5. Assessment Process – auditors provide their opinion on the validity of the service org’s description of controls, review control objectives and activities to verify that they exist and are designed as described.

Remember that AICPA does not issue a certification for either SAS 70 or SSAE 16, but rather that one is compliant.


Leave a Reply

Your email address will not be published. Required fields are marked *