SAS 70 audits are required by companies with outsourced services that can impact their financial statements. SAS 70 is being replaced by two new standards: SSAE 16 (Statement on Standards for Attestation Engagements), effective June 15, 2011, and an SAS (Statement on Auditing Standards) effective December 31, 2012, to be enumerated later.
Consider these Top 5 (+1) issues regarding these changes when using outsourced services:
1. The two new standards split the work of SAS 70. SSAE 16 is focused on the service provider’s auditor requirements, while the new SAS is for the user (client) auditors.
2. There are more audit reports now compared to the two SAS 70 (Type I and Type II audits) reports.
a. Service Organization Control (SOC) Report I – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
i. SOC 1 reports include the old SAS 70 Type I and Type II engagements.
b. SOC II – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
c. SOC III – Trust Services Report for Service Organizations
3. The timing of the audit reporting periods have now changed, depending on the report type. They now report on the controls during a specific period of time versus an “as-of” date.
4. Past audit history can no longer be used as evidence for the current audit for the service provider’s controls.
5. Management from the service provider now is required, depending on the audit type, to provide a written assertion on the description, design and operating effectiveness of their controls.
6. SSAE 16 is based on International Standard on Assurance Engagements (ISAE) no. 3402, Assurance Reports on Controls at a Service Organization. This point above, along with the splitting of the requirements into two separate requirements further evidence the convergence of US GAAP and IFRS (International Financial Reporting Standards).
Here are a few extra points to remember that have not changed from SAS 70 to the new requirements:
There was no SAS 70 certification, and there will be no certification on these new requirements. Neither of these new requirements provides non-financial attestation; that is provided under a completely different guidance (AT Section 101). SSAE 16 and the new SAS, as SAS 70 was previously, are points to ponder during the RFP development and contract negotiations, not after.
The evolution of Cloud computing further emphasizes the need to address these points before the contract is signed. User companies should engage their accounting resources when working with service providers, but also TPI’s Financial Analysis experts can help you define your requirements when developing RFPs as well as provide expertise in contract negotiations.
What do you think about the changes that the replacement of SAS 70 will bring? How might they affect your sourcing-related activities? Discuss in the comments section here or contact John Klee, Senior Advisor, TPI.