SSAE-16 & ISAE-3402 are Taking Over SAS-70
By Ben Osbrach, National Risk Advisory Leader
Statement on Auditing Standards No. 70 (SAS 70) has rapidly become a known standard worldwide and its own publicity is ultimately the cause for change (about time). Well it is inevitable that things change, but the new standards that will likely replace SAS 70 audit comes with more flexibility and more responsibility of the service organization.
The International Auditing and Assurance Standards Board (IAASB) felt a need for a common auditing standard to address the varying differences in each countries audit requirements. As a result the IAASB formed and issued the International Standard on Assurance Engagements (ISAE) 3402 ‘Assurance Report on Controls at a Service Organization’ on December 18, 2009. ISAE 3402 is not a means to replace country specific standards (i.e. SAS 70) but to provide reporting option to address current limitations. The new AICPA standard SSAE 16 will replace the existing SAS 70 standard effective June 15, 2011 and early adoption is permitted.
Although there were many discussions that the AICPA would expand the SAS 70 scope beyond financial reporting relevance this is not the case for SSAE 16; however they have provided guidance to cover this limitation under AT Section 101. Below is a summary of the changes affecting the current SAS 70 standard:
- Management is responsible for a description of their system. Previously management was only responsible for the description of controls.
- Management is responsible for providing a written assertion statement supporting their systems description.
- Subservice organizations that are included via the inclusive method are also required to include a written assertion statement similar to the service organization.
- The service auditors’ opinion will change and is now required to report of the design of the system throughout the audit period.
- A requirement to explain the use of internal audit or management testing.
How can service organizations prepare?
- Start communication with your auditor and user organizations.
- Identify the needed changes to your current SAS 70 audit.
- Assess how this will impact your compliance efforts and develop a plan NOW!
How is ISAE 3402 or SSAE 16 going to affect service organizations?
- Service organizations are going to be required to sign off on an assertion confirming the accuracy of the description of their system and that their control activities were operating effectively.
- Service organizations are going to need to perform an assessment of their controls (monitoring procedures) in order to sign off on their assertion.
- A full description is now required for processes and controls covered in your SAS 70 audit report (many organizations already cover this requirement; however there are a number of reports issued over the past years with very limited descriptions).
- A risk assessment over the scope of your audit to determine the adequacy of your controls.
It is highly recommended that organizations start preparing for the upcoming changes to the SAS 70 audit standard. Some organizations may face significant road blocks on completing future engagements after the changes to the SAS 70 audit standard become effective.