For nearly 20 years, organizations that outsourced part of their functions to service providers have relied on SAS 70 reports to gain assurance that proper controls relevant to user entities internal control over financial reporting are in place at service organizations. With the globalization of outsourcing services and changes in regulatory landscape, the American Institute of Certified Public Accountants Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 16 in January 2010. SSAE No. 16 is effective for reporting periods ending on or after June 15, 2011 which means that the new standards could affect organizations as early as June 2010.
SSAE No. 16 is substantially similar to SAS 70. One of the key difference is in the portion of the report where the service organization describes its controls and systems. Under SSAE No. 16, service organization will need to provide a description of its system (as opposed to description of its controls under SAS 70). Description of system is more expansive and detailed when compared to that of the SAS 70 description of controls. Controls are only one aspect of a system. The new standards require service organizations to provide more information on their systems, processes and procedures.
The other key difference is that SSAE No. 16 requires service organizations to provide management assertion regarding management’s responsibility for the description of the system and the related controls designed to achieve the stated control objective. The new standards also require service organizations to identify risks that threaten the achievement of the control objectives.
While many of the descriptions contained in the SAS 70 reports provided by service organizations meet most of the criteria under the new standards, service organizations who currently only meet the minimum requirements of SAS 70 will need to put in more efforts under the new model. The new standard represents more work for service organizations because they are now required to provide a more elaborate description on the system and also to provide a management attestation. The new model may or may not have been contemplated when the outsourcing contract was negotiated. If the additional work was not contemplated when the outsourcing contract was prepared, this represents additional effort and cost on service organizations which could mean some of the service organizations may remove topics that were previously included in their SAS 70 reports. User entities need to understand what they expect the scope of the audit to include and the type of audit rights required under the new model.
Both service organizations and user entities need to review existing outsourcing contracts to determine the type of audit and reports required under the existing contracts, whether the existing contractual language is broad enough to cover SSE No. 16, and whether revisions are necessary to transition to the new standards.