End of the SAS 70 Era

Transcription

1 End of the SAS 70 Era For years businesses that outsource have relied on SAS 70 reports on the internal controls of third party providers. The standard for those reports is changing. New Standards Replacing the SAS 70 The Statement on Auditing Standard No. 70 (SAS 70) has been widely used since 1992 when the American Institute of Certified Public Accountants (AICPA) first issued the standard. As of June 15, 2011, the SAS 70 standard will be replaced by two new standards. These standards are the Statement on Standards for Attestation Engagement 16 (SSAE 16) and the International Standard on Assurance Engagements 3402 (ISAE 3402). The SSAE 16 was developed by the American Institute of Certified Public Accountants (AICPA). The ISAE 3402 was developed by the International Auditing and Assurance Standards Board (IAASB). Reasons for New Standards There have been various reasons that contributed to the development of the SSAE 16 and ISAE 3402 standards that are replacing the SAS 70 standard. One of the reasons for the new standards is the globalization of information technology and significant increase in business process outsourcing. Another reason is the highly demanding and constantly changing regulatory environment. Also, another reason is the fact that there was no international standard to perform the function of the SAS 70 and the fact that the AICPA aimed to converge with the international standards. Purpose of New Standards As with the SAS 70, the two new standards main purpose is to report on the internal controls of service organizations that provide services to different user entities which outsource services to third party providers. Comparison of SAS 70 and New Standards The SSAE 16 and ISAE 3402 are very similar, yet they are both different from the SAS 70 standard. The following sections provide a high level comparison of the standards.

2 SAS 70 SSAE 16 Audit Standard Attestation Standard Type 1 and Type 2 reports may be issued by the ser- Same Reports may include or exclude services provided by Same Service auditor s report usage is restricted to service organization management, user entities of the ser- Scope is focused on controls that are likely to be relevant to user entities internal controls over financial reporting Uses a Description of Control Section Service organization s description of controls is more limited The auditor s report need not to include management s written assertion The report does not need to include the assertion of subservice organizations if the inclusive method is used Same SSAE 16 focuses in internal controls over financial statements, but it can be used as a guide to report on other types of controls (e.g., compliance) Uses a Description of System Section Service organization s description of system is more extensive Management s written assertion must be included as part of the report Management s assertion must include the suitable criteria used for its assessment Management is required to identify the risks that threaten the achievement of the control objectives stated in the description If a service organization uses subservice organizations and selects to use the inclusive method, the subservice organizations assertion need to be included in the report The service auditor opinion is as of a point in time Service auditor is not required to disclose reliance on Internal Audit work Does not require the service auditor to investigate the nature and cause of any deviations identified The assessment does not have to be wholly based on evidence obtained during the current period SAS 70 opinion format and content The service auditor opinion is as of a period cov- Service auditor is required to disclose reliance on Internal Audit work and service auditor proce- Require the service auditor to investigate the nature and cause of any deviations identified The assessment must be wholly based on evidence obtained during the current period SSAE 16 format and content Representation letter required from service organi- Same One Guide available on examining and reporting on Two new guides will be available 1) Control over service organizations - Control over financial reporting focus other than financial financial reporting 2) Control over subject matter reporting

3 SSAE 16 ISAE 3402 Service auditor must investigate the nature and cause of Not required any deviation resulted from intentional acts by service organization personnel Requires a management representation letter Deviation identified in tests of controls involving sampling is representative of the population Not required Deviation identified in tests of controls involving sampling is not representative of the population Internal audit direct assistance is permitted Disclosure of significant subsequent events is required Not permitted Limited disclosure required Requires a statement restricting the use of the service auditor report Requires documentation completion within 60 days after the report release date Statement inclusion is not mandatory Timely completion of documentation is required, but there is no specific number of days Engagement acceptance and continuance requires a Not required management representation letter Lack of management representation letter results in Lack of management representation letter results in disclaiming an opinion or withdrawing from the engagement disclaiming an opinion Requires additional content requirements for the report Requires less content requirements for the report New Responsibilities of Service Organizations Service organizations will have additional responsibilities with the new standards replacing the SAS 70. Management will be responsible for preparing a complete and accurate description of the service organization s system. The description should cover the following aspects: Types of services provided to user organizations Procedures (manual and automated) by which the services are provided Description of the classes and flow of transactions (including - initiation, authorization, recording, processing, reporting) Control objectives, controls and complementary controls Significant events and conditions other than transactions Controls performed by the subservice organization, if applicable The process used to prepare reports provided to user organizations Changes to the system during the period covered by the report Other aspects of the service organization s control environment Risk assessment process Information and communication systems Control activities and monitoring controls

4 With the new standards, management will have to identify the risks that threaten the achievement of the control objectives stated in management s description of the system. Also, management will have to provide a written assertion that will state that the controls are fairly presented, suitably designed and operating effectively to achieve the defined control objectives. If the service organization includes in the report the description of controls of sub-service organizations, it will also have to provide a written assertion for the sub-service organization. Additionally, the management s assertion must be included as part of the report and the assertion needs to be based on suitable criteria. Suggestions for Service Organizations Service organizations will need to prepare for the new standards. It is highly recommended that service organizations start their preparation soon in order to be ready prior to the effective date of the two new standards, June 15, Service organizations should consider addressing the following tasks: Obtain more information about the new standards from a qualified and experience auditor. Determine if early adoption of the standards is applicable to the organization. Determine which of the two new standards is applicable to the organization. Determine if subservice organizations need to be considered as part of the report. Evaluate if the existing SAS 70 description of controls can be used and determine additional aspects that need to be included. Identify the assertion and suitable criteria for the service organization and subservice organizations, if applicable. Determine the members of management who will be responsible for the report using the new standards. Identify the risk that threatens the achievement of control objectives. Evaluate existing monitoring and testing practices to determine if they are adequate to support the service organization assertion. Establish adequate communication of the new standards implementation within the service organization and with user entities. Consider revisions of legal contracts to reflect the use of the new standards. Suggestions for User Entities User entities that outsource services to service organizations will also have to transition from the SAS 70 to service organization reports created under the new standards. User entities will need to understand the new standards to ensure that the outsourced services have adequate controls. User entities should address the following before the effective date of the new standards: Initiate discussions with auditors to obtain an understanding of the new standards and its implementation requirements. Ensure the service organization report is performed by reputable and qualified professionals. Ensure the service organization provides a type II report because it includes tests of the effectiveness of controls. Ensure the service organization provides a report developed in accordance to the new standards. Ensure the report covers a scope that is adequate for your organization. Ensure the report covers the control objectives required by the organization. Ensure the report covers the regulations and\or control standards required by the organization (e.g., GLBA, FACT Act, HIPAA, HITECH, Ensure proper assignment of someone at the organization to be responsible to handle aspects related to the service organization report.

5 Ensure the period covered is adequate for the organization. Ensure adequate control testing is performed. Ensure the contracts with service organizations address the new standards. Ensure proper assignment of someone at the organization to be responsible to handle aspects related to the service organization report. Implications of the New Standards There are a series of implications of the new standards. First, the new standards will impose additional responsibilities and requirements on service organizations and service auditors. It will increase the reliability of the service organization s controls through more management accountability and provide better disclosure of service organization s controls and status of controls. The new standards are expected to enhance the consistency on the reporting of controls by all service organizations. Also, the new standards will require additional work to plan for and implement, at least during the first year. Last, but not least, the new standards will improve the ability of service organizations to compete internationally. Early Adoption of the New Standards Although the new standards are effective for reports with periods ending on or after June 15, 2011, early adoption of the standards is permitted. Early adoption of the standards can be beneficial for organizations. It will provide more time to plan and ensure the proper implementation of the processes and practices required to comply with the new standards. Also, service organizations that are early adopters of the standards may be perceived as having a stronger control environment. They may also be perceived as leaders and may therefore have a competitive advantage.

6 ERM wants to hear from YOU. With this edition of our newsletter, we re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to editor@emrisk.com. Enterprise Risk Management: At a Glance ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk management issues of today, as well as the broader and ever-increasing security challenges of the future. Services IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation Certifications Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) GIAC Security Essentials Certification GIAC Systems and Network Auditor Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV) Some of our Clients ABN-AMRO Private Banking Bacardi-Martini, Inc. Bancafe International Banco Industrial de Venezuela Banco ITAU Bank United Caja Madrid Bank Carnival Cruise Lines, LLC CitiBank Coconut Grove Bank Commerce Bank E-data Financial Florida International University Florida Power & Light Company Heico Aerospace Helm Bank Knight Ridder Nova Southeastern University Rinker Materials Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc. The International Bank of Miami TransAtlantic Bank U.S. Century Bank For more information, visit info@emrisk.com Phone: Douglas Road North Tower, Suite 835 Coral Gables, FL 33134