Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?"

Transcription

1 SAS 70 EVOLUTION: Here comes SSAE 16 PLANNING FOR THE NEW SERVICE ORGANIZATION REPORTING STANDARDS The prevalence of SAS 70 audits has grown dramatically since the standards issuance in April of The importance of the standard cannot be understated in the value it has provided, serving the needs of service providers, user organizations and user auditors to report on the effectiveness of service organizations internal controls. Major changes effective June 15, 2011: 1. More detailed requirements for the description of the service organization s system of controls. 2. Adds a written assertion from management. 3. Adds a risk analysis. 4. Increases clarity and reporting requirements for the use of subservice organizations. 5. Changes auditor opinion on control design effectiveness from a single date to the entire period of time covered by the report. Service organizations of all sizes have demonstrated their commitment to internal controls by proactively obtaining a Service Auditor s Report. However, the increasing importance of effective controls and reporting processes, combined with globalization and regulatory concerns, have prompted the issuance of a new standard that replaces SAS 70 for US based service organizations. How will the new standard affect my business? How do I prepare to meet the new requirements? In April 2010, the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 supersedes Statement on Auditing Standards No. 70, Service Organizations (SAS 70). SSAE 16 is applicable when an entity (the user entity) outsources a business task or function to another entity (the service organization) and the data resulting from that task or function is incorporated in the user entity s financial statements. For example, if a health insurance company outsources its medical claims processing, and the resulting claims data is used to record its claims expense and related liability, the insurance company is responsible for the accuracy of the data even though the data is generated by the claims processor.

2 While similar to SAS 70, the new SSAE will require changes to service organizations reports and reporting processes. For some service organizations, these changes will be relatively minor. For others, significant efforts will be required to change their reports, reporting processes or both. To determine the impact of and how best to plan for implementation of the new standards, service organizations need to understand the following: Reasons for the new SSAE and timing Service organization responsibilities under the new SSAE Action steps to implement the new SSAE Reasons for the new SSAE and timing While SAS 70 has worked effectively for many service organizations, a number of factors resulted in the need for the new SSAE, including: 1) The globalization of business process outsourcing Business process outsourcing has grown from regional shared service organizations created by specific industries to multinational and local organizations serving many different industries for a mixture of local, regional and international organizations. As a result, the information required in a SAS 70 report may no longer be sufficient for user entities. 2) The movement to align the US accounting standards with international standards While it is used globally, SAS 70 is a US standard, and engagements must be performed in accordance with the AICPA US Auditing Standards. Consequently, current reports may not respond to the needs of user entities and their auditors outside the US. SSAE 16 will correspond almost in its entirety with the IAASB (International Auditing and Assurance Standards Board) issued regulation ISAE Before After Effective 3) Service organization s report versus service auditor s report SAS 70 was developed as an auditor-to-auditor communication; a way for the service auditor to share audit workpapers with the user auditor, who then could rely on this work in planning and executing the financial statement audit. However, the regulatory landscape has seen significant changes, and governments, regulators, boards of directors and financial statement users are placing ever-increasing emphasis on internal control over financial reporting. These stakeholders, as well as the user auditors, now need a report from and by the service organization describing its internal control. This, in turn, significantly increases the importance of management s description of its system. The independent service auditor s opinion remains critical, but its role is as a provider of assurance, not the entity responsible for the communication. Service organization SERVICE AUDITOR SAS 70 SSAE 16 June 15, 2011 SERVICES SAS 70 User entity USER ENTITY AUDITOR New SAS TBD: Clarified auditing standard for user entities. December 16, 2012 (Anticipated) Timing The new standard is effective for reports for periods ending on or after June 15, 2011, with early adoption permitted. Because many reporting periods cover 12 months and begin in July, SSAE 16 affected many organizations as early as July 1, 2010.

3 Service organization responsibilities under the new SSAE Under the new SSAE, service organizations will be affected by five significant changes in responsibility not previously seen under SAS 70: 1. Describing the service organization s system Under SAS 70, a service organization provides a description of controls. Under SSAE 16, a service organization provides a description of its system as designed and implemented. The service organization s description of its system would include the following: (1) the services provided, including classes of transactions processed; (2) the procedures by which services are provided, including transaction initiation, authorization, recording, processing, and correction; (3) the capturing of significant events and conditions other than transactions; and (4) the process used to prepare reports of information provided to user entities. 2. Management s assertion SSAE 16 requires that management must provide a written assertion to be placed in the report. The assertion must communicate (1) the service organization management s responsibility for the description of controls and (2) the achievement of the evaluation criteria of the description of the system. 3. Risk Analysis SSAE 16 requires the service organization to support management s assertion through identifying risks that threaten the achievement of the control objectives. It must also determine whether the controls would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives from being achieved. 4. Subservice organization involvement Similar to SAS 70, under SSAE 16 the carve-out and inclusive methods are still available for dealing with services provided by subservice organizations in the report. However, if a service organizations involvement requires the use of the inclusive method, the subservice organization must prepare a management assertion report similar to the assertion report prepared by the service organization s management. Getting subservice organization management to agree to provide this assertion may be more difficult than obtaining a letter of representation. (Note: a letter of representation from the subservice organization is still required.) This is even more likely to be a challenge when the subservice organization is a small unit of a much larger organization. 5. Period of control operating effectiveness In a Type 2 engagement, the description of the service organization s system will cover a period of time (e.g. 6 or 12 months), rather than being as of a specified date. Previously under SAS 70, the auditor s opinion only covered the controls placed in operation at a single point in time. The guidance for user auditors, currently in AU Section 324, will be unchanged until a currently proposed SAS for user auditors, Audit Considerations Relating to an Entity Using a Service Organization (Redrafted), becomes effective. The proposed SAS does not contain any significant changes for user auditors. SSAE 16 will be located in Section 801 of the attestation standards. SSAE 16 is effective for service auditor s reports for periods ending on or after June 15, 2011, with earlier implementation permitted.

4 Action steps to help your company implement the new SSAE There are several key steps required to implement the new SSAE standard. 1. Determine when to implement - The implementation date for the adoption of the new SSAE has some important considerations. The New Standards must be adopted for periods ending on or after June 15, 2011, with earlier adoption permitted. Service organizations should consider the potential benefits of early adoption, including whether: Market benefits exist for early adoption of the new SSAE by demonstrating your understanding of their risk requirements and compliance needs; Non-US user entities have a preference for reports issued under the international standard; Determine whether subservice organizations will be treated under the inclusive method and the challenges resulting from this method. 2. Notify subservice organizations All subservice organizations used should be considered with the implementation of the new SSAE. If a current SAS 70 report uses the inclusive method for one or more subservice organizations, early discussions with the subservice organization(s) are critical. An assertion report from subservice organization management may be difficult to obtain. Early communication with subservice organization management will reduce the risk of the subservice organization refusing to provide an assertion report when the final report is issued. Consider modifying the reporting approach if the inclusive method is used if a service provider obtains their own report on their internal controls, either under SSAE 16, SAS 70, or other acceptable standard. If a subservice organization has an acceptable report for the services it provides to you and your customers, it is usually easier to provide your customers with a copy of the subservice organization s report and limit your report to only your processes. You should discuss this reporting strategy with these subservice organizations. 3. Notify your customers A change management plan should be developed for controlling communication of the new SSAE and roll-out of your future report under the SSAE standard. Your service organization report is one part of your service portfolio. The term SAS 70 report has become the generic term for service organization reports and has developed its own brand identity. However, as of the effective date of the new SSAE, SAS 70 will no longer be accurate, so converting to the term Service Auditor s Report is appropriate. In preparing for the change you should consider: How you will communicate the changes in the New Standards to your clients. Multiple communications may help them understand the nature of the change, including a cover letter attached to the first report issued under the new standard explaining the change. If you do not early-adopt the new SSAE standard in 2010, you should consider communicating your implementation plans in the 2010 report. Review your standard contracts to determine whether the term SAS 70 is used. Consult with your legal counsel regarding any required changes and assess the impact on existing contracts. Make sure that your sales and client service personnel understand the pending change and its impact to your clients. Their ability to explain the change can reduce client confusion and uncertainty.

5 For more information on the Standards for Attestation Engagements (SSAE) No. 16, contact: 4. Review your system description and the description of all relevant controls As mentioned, many existing SAS 70 reports will need only minor modifications to comply with the new SSAE, but some reports will require more extensive modifications. In updating your report for the new standard, you should consider reviewing the criteria used to evaluate the description(s) of the system(s). While the standard sets minimum criteria for the description, other criteria may be appropriate to include. You should consult with us as part of this process. LARRY HESSNEY Director Re-evaluate the risks facing your organization against your existing control objectives As previously described, the risks that threaten the achievement of the control objectives are required to be identified and stated in the description. The identified controls would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved. Your control objectives should focus only on those aspects of your services that can affect your clients financial statement assertions. Consider whether your control objectives are complete, and evaluate whether all of them are necessary. In identifying the risks, use your risk assessment process. Most organizations perform regular risk assessments, either formally or informally. These risk assessments address both financial and operating risks, including risks of not meeting service-level agreements. F R E E D M A X I C K. C O M BUFFALO 420 Main Street Suite 800 Buffalo, NY BATAVIA One Evans Street Batavia, NY ROCHESTER 100 Meridian Centre Suite 310 Rochester, NY

6 F R E E D M A X I C K. C O M

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770 Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com SAS 70 Background 2 SAS No. 70 Reports on the Processing of Transactions by Service Organizations Independent examination

More information

FAQs New Service Organization Standards and Implementation Guidance

FAQs New Service Organization Standards and Implementation Guidance FAQs New Service Organization Standards and Implementation Guidance During the past two years several significant changes have occurred in audit and attest standards for reporting on controls at service

More information

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP Audits of controls at a service organization Roadmap to the

More information

The end of SAS70 what next for Performance Assurance?

The end of SAS70 what next for Performance Assurance? Enhancing Trust and Transparency The end of SAS70 what next for Performance Assurance? A perspective on transitioning from SAS 70 to ISAE 3402 pwc Enhancing Trust and Transparency 1 Contents What you need

More information

At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.

At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards. At a glance While there are some differences, SAS 70 and SSAE 16 are substantially the same. SAS 70 is an audit standard while SSAE 16 is an attest standard. Out with the old SAS 70 and in with the new

More information

Service Organization Control (SOC) Reports

Service Organization Control (SOC) Reports Service Organization Control (SOC) Reports Transitioning from SAS 70 to SSAE 16 Deloitte & Touche LLP Agenda Overview SAS 70/SSAE 16 Historical Perspective The New Framework Under SSAE 16 (SOC 1) Impact

More information

TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization

TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization November 2011 AICPA Technical Practice Aids TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization.01 New Standards for Service Auditors and User Auditors Inquiry Did the issuance

More information

BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization

BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization August 2010 BASIS FOR CONCLUSIONS Canadian Standard on Assurance Engagements (CSAE) 3416, Reporting on Controls at a Service Organization This Basis for Conclusions has been prepared by staff of the Auditing

More information

Reporting on Controls at a Service Organization

Reporting on Controls at a Service Organization Reporting on Controls at a Service Organization 1529 AT Section 801 Reporting on Controls at a Service Organization (Supersedes the guidance for service auditors in Statement on Auditing Standards No.

More information

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting Farewell to SAS 70 What you need to know about the New Standard for Service Organization Reporting ADVISORY rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative

More information

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 Table of Contents A Short History of SAS 70 Overview of SSAE 16 and ISAE 3402

More information

MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS

MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS Mayer Hoffman McCann P.C. An Independent CPA Firm MHM S AUDITING PERSPECTIVE: STANDARD NO. 5 Since its issuance in 1992, the American Institute of Certified Public Accountants (AICPA) Statement on Auditing

More information

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 defined Overview of service organisation control reports Service organisation

More information

End of the SAS 70 Era

End of the SAS 70 Era End of the SAS 70 Era For years businesses that outsource have relied on SAS 70 reports on the internal controls of third party providers. The standard for those reports is changing. New Standards Replacing

More information

Monitoring Outside Service Providers, Part III: SAS 70 Updates

Monitoring Outside Service Providers, Part III: SAS 70 Updates Monitoring Outside Service Providers, Part III: SAS 70 Updates Richard F. Fischer, CPA Louis Plung & Company, LLP richard.fischer@louisplung.com 412-281-8771 CHANGES TO SAS 70 SERVICE ORGANIZATIONS: Statement

More information

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report Presenting a live 110 minute teleconference with interactive Q&A SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report WEDNESDAY,

More information

G24 - SAS 70 Practices and Developments Todd Bishop

G24 - SAS 70 Practices and Developments Todd Bishop G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS

More information

Goodbye, SAS 70! Hello, SSAE 16!

Goodbye, SAS 70! Hello, SSAE 16! Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70

More information

Shared Service System Audits: What User Management and Auditors Need to Know

Shared Service System Audits: What User Management and Auditors Need to Know Shared Service System Audits: What User Management and Auditors Need to Know JFMIP May 2014 Presented by: Robert Dacey GAO Session Objectives Properly using SSAE 16 service organization audit reports Revisions

More information

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports SAS No. 70, Service Organizations Standard for reporting on a service organization s controls affecting user entities financial statements

More information

Service Organization Control Reports

Service Organization Control Reports SAS 70 ENDS EXIT TO SSAE 16 Service Organization Control Reports What Did We Learn from Year One? Agenda Definitions Service Organization Reports What are they? Year One Experiences SSAE 16 Year One Experiences

More information

SAS No. 70, Service Organizations

SAS No. 70, Service Organizations SAS No. 70, Service Organizations A standard for reporting on a service organization s controls affecting user entities' financial statements. Only for use by service organization management, existing

More information

Audit, Review, Compilation, and Preparation of Financial Statements

Audit, Review, Compilation, and Preparation of Financial Statements Audit, Review, Compilation, and Preparation of Financial Statements DISCLAIMER: This publication has not been approved, disapproved or otherwise acted upon by any senior technical committees of, and does

More information

OUTSOURCING AND SERVICE AUDITOR S REPORTS

OUTSOURCING AND SERVICE AUDITOR S REPORTS OUTSOURCING AND SERVICE AUDITOR S REPORTS FREEDOM TO DO BUSINESS Outsourcing and service Auditor s Reports 3 OUTSOURCING AND SERVICE AUDITOR S REPORTS SERVICE AUDITOR S REPORTS ARE GROWING IN IMPORTANCE,

More information

Service Organizations: Auditing Interpretations of Section 324

Service Organizations: Auditing Interpretations of Section 324 Service Organizations 1835 AU Section 9324 Service Organizations: Auditing Interpretations of Section 324 1. Describing Tests of Operating Effectiveness and the Results of Such Tests.01 Question Paragraph.44f

More information

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive

More information

Reports on Service Organizations Where we ve been?

Reports on Service Organizations Where we ve been? Reports on Service Organizations Where we ve been? What s changing? How does this impact Internal Audit? Eric Wright Shareholder Frank Dezort Senior Manager Schneider Downs & Co., Inc. May 2, 2011 Overview

More information

Frequently asked questions: SOC 2 and 3

Frequently asked questions: SOC 2 and 3 1. Is the licensing requirement for a SOC 2 or 3 different than for a SOC 1? SOC reports are attestation reports issued in accordance with AICPA standards. Therefore, licensing requirements are the same

More information

Information for Management of a Service Organization

Information for Management of a Service Organization Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure

More information

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016 Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we

More information

Understanding Vendor Risk And Analyzing the SSAE No. 16

Understanding Vendor Risk And Analyzing the SSAE No. 16 Understanding Vendor Risk And Analyzing the SSAE No. 16 Accelerate your Credit Union s Performance June 19, 2014 AUSTIN, TEXAS www.cuaccelerator.com Agenda Vendor Management Key Outsourcing Risk Areas

More information

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,

More information

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT SOC2 Security Report on Controls Supporting DriveSavers Services Independent Service Auditor s Report on Design of Controls Placed in Operation and Tests of Operational Effectiveness Relevant to Security

More information

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased

More information

SSAE 16 SOC 1 Type 2

SSAE 16 SOC 1 Type 2 SSAE 16 SOC 1 Type 2 Independent Service Auditor s Report on Management s Description of a Service Organization s System and the Suitability of the Design and Operating Effectiveness of Controls September

More information

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway. Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation

More information

The 21 st Century Version of SAS 70..SSAE 16

The 21 st Century Version of SAS 70..SSAE 16 presents Mastering SAS 70 Audit Reports for Service Organizations Evaluating Internal Controls Issues With Type I and Type II Reports A Live 110-Minute Teleconference/Webinar with Interactive Q&A Today's

More information

Asset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset

Asset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset Asset Manager Guide to SAS 70 Issue Date: October 7, 2007 Asset Management Group A s s e t M a n a g e r G u i d e SAS 70 Table of Contents Executive Summary...3 Overview and Current Landscape...3 Service

More information

Auditing CPA EXAM REVIEW V 1.0

Auditing CPA EXAM REVIEW V 1.0 V 1.0 CPA EXAM REVIEW Auditing UPDATES AND ACADEMIC HELP Click on Community and Support at www.becker.com/cpa CUSTOMER SERVICE AND TECHNICAL SUPPORT Call 1.877.CPA. EXAM (Outside the U.S. +1.630.472.2213)

More information

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,

More information

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye

More information

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Agenda 1) A brief perspective on where SOC 3 originated

More information

Association With Financial Statements

Association With Financial Statements Association With Financial Statements 2139 AU Section 504 Association With Financial Statements (Supersedes SAS No. 1, sections 516, 517, and 518 and SAS No. 15, paragraphs 13 15.) [1] Source: SAS No.

More information

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye

More information

WELCOME TO SECURE360 2013

WELCOME TO SECURE360 2013 WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?

More information

3.B METHODOLOGY SERVICE PROVIDER

3.B METHODOLOGY SERVICE PROVIDER 3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting

More information

ISA 200, Overall Objective of the Independent Auditor, and the Conduct of an Audit in Accordance with International Standards on Auditing

ISA 200, Overall Objective of the Independent Auditor, and the Conduct of an Audit in Accordance with International Standards on Auditing International Auditing and Assurance Standards Board Exposure Draft April 2007 Comments are requested by September 15, 2007 Proposed Revised and Redrafted International Standard on Auditing ISA 200, Overall

More information

THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT

THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT White Paper www.a3freightpayment.com THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT Introduction An essential element

More information

INTERNATIONAL STANDARD ON AUDITING 600 USING THE WORK OF ANOTHER AUDITOR CONTENTS

INTERNATIONAL STANDARD ON AUDITING 600 USING THE WORK OF ANOTHER AUDITOR CONTENTS INTERNATIONAL STANDARD ON AUDITING 600 USING THE WORK OF ANOTHER AUDITOR (This Standard is effective) CONTENTS Paragraph Introduction... 1-5 Acceptance as Principal Auditor... 6 The Principal Auditor s

More information

Inquiry of a Client s Lawyer Concerning Litigation, Claims, and Assessments 1

Inquiry of a Client s Lawyer Concerning Litigation, Claims, and Assessments 1 Inquiry of a Client s Lawyer 1985 AU Section 337 Inquiry of a Client s Lawyer Concerning Litigation, Claims, and Assessments 1 Source: SAS No. 12. See section 9337 for interpretations of this section.

More information

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors) Special Considerations---Audits of Group Financial Statements 621 AU-C Section 600 Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors) Source: SAS No.

More information

Update on AICPA Assurance Services Executive Committee Activities

Update on AICPA Assurance Services Executive Committee Activities Update on AICPA Assurance Services Executive Committee Activities Amy Pawlicki Director Business Reporting, Assurance & Advisory Services and XBRL AICPA Agenda ASEC overview Summary of work streams by

More information

GAO. Government Auditing Standards. 2011 Revision. By the Comptroller General of the United States. United States Government Accountability Office

GAO. Government Auditing Standards. 2011 Revision. By the Comptroller General of the United States. United States Government Accountability Office GAO United States Government Accountability Office By the Comptroller General of the United States December 2011 Government Auditing Standards 2011 Revision GAO-12-331G GAO United States Government Accountability

More information

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION (Effective for service auditors assurance reports covering periods ending on or after

More information

GAO. Government Auditing Standards: Implementation Tool

GAO. Government Auditing Standards: Implementation Tool United States Government Accountability Office GAO By the Comptroller General of the United States December 2007 Government Auditing Standards: Implementation Tool Professional Requirements Tool for Use

More information

) ) ) ) ) ) ) ) ) ) ) )

) ) ) ) ) ) ) ) ) ) ) ) 1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202)862-8430 PROPOSED AUDITING STANDARD RELATED TO CONFIRMATION AND RELATED AMENDMENTS TO PCAOB STANDARDS ) ) ) ) ) ) ) )

More information

CHAPTER 5 PROFESSIONAL AUDITING STANDARDS AND THE AUDIT OPINION FORMULATION PROCESS

CHAPTER 5 PROFESSIONAL AUDITING STANDARDS AND THE AUDIT OPINION FORMULATION PROCESS A U D I T I N G A RISK-BASED APPROACH TO CONDUCTING A QUALITY AUDIT 9 th Edition Karla M. Johnstone Audrey A. Gramling Larry E. Rittenberg CHAPTER 5 PROFESSIONAL AUDITING STANDARDS AND THE AUDIT OPINION

More information

SECURITY AND EXTERNAL SERVICE PROVIDERS

SECURITY AND EXTERNAL SERVICE PROVIDERS SECURITY AND EXTERNAL SERVICE PROVIDERS How to ensure regulatory compliance and manage risks with Service Organization Control (SOC) Reports Jorge Rey, CISA, CISM, CGEIT Director, Information Security

More information

Bulletin 2006-007. Date Issued: June 28, 2006. All Public Offices Independent Public Accountants. Betty Montgomery Ohio Auditor of State

Bulletin 2006-007. Date Issued: June 28, 2006. All Public Offices Independent Public Accountants. Betty Montgomery Ohio Auditor of State Date Issued: June 28, 2006 Bulletin 2006-007 TO: FROM: All Public Offices Independent Public Accountants Betty Montgomery Ohio Auditor of State SUBJECT: Public Contracting/Required Financial Reviews (Sections

More information

The Auditor s Consideration of the Internal Audit Function in an Audit of Financial Statements

The Auditor s Consideration of the Internal Audit Function in an Audit of Financial Statements Auditor s Consideration of Internal Audit Function 1805 AU Section 322 The Auditor s Consideration of the Internal Audit Function in an Audit of Financial Statements (Supersedes SAS No. 9.) Source: SAS

More information

RECKENEN FOCUS ON SAS 70 & SSAE 16

RECKENEN FOCUS ON SAS 70 & SSAE 16 RECKENEN FOCUS ON SAS 70 & SSAE 16 Hassan Sultan, CPA Managing Director 3001 Park Center Drive Suite 1000 Alexandria, VA 22302 Phone (703) 249 4509 Email hsultan@reckenen.com SAS 70 & SSAE 16 Overview

More information

ISA 620, Using the Work of an Auditor s Expert. Proposed ISA 500 (Redrafted), Considering the Relevance and Reliability of Audit Evidence

ISA 620, Using the Work of an Auditor s Expert. Proposed ISA 500 (Redrafted), Considering the Relevance and Reliability of Audit Evidence International Auditing and Assurance Standards Board Exposure Draft October 2007 Comments are requested by February 15, 2008 Proposed Revised and Redrafted International Standard on Auditing ISA 620, Using

More information

How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of

How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 defined Overview

More information

INTERNATIONAL STANDARD ON AUDITING 230 AUDIT DOCUMENTATION CONTENTS

INTERNATIONAL STANDARD ON AUDITING 230 AUDIT DOCUMENTATION CONTENTS INTERNATIONAL STANDARD ON AUDITING 230 AUDIT DOCUMENTATION (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Paragraph Introduction Scope of this

More information

IMPLEMENTATION OF THE CLARIFIED INTERNATIONAL STANDARDS ON AUDITING (ISAs)

IMPLEMENTATION OF THE CLARIFIED INTERNATIONAL STANDARDS ON AUDITING (ISAs) Enhancing Audit Quality IMPLEMENTATION OF THE CLARIFIED INTERNATIONAL STANDARDS ON AUDITING (ISAs) 2 Implementation of the Clarified ISAs The International Auditing and Assurance Standards Board (IAASB)

More information

(Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS

(Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS INTERNATIONAL STANDARD ON AUDITING 720 THE AUDITOR S RESPONSIBILITIES RELATING TO OTHER INFORMATION IN DOCUMENTS CONTAINING AUDITED FINANCIAL STATEMENTS (Effective for audits of financial statements for

More information

Supplementary Information in Relation to the Financial Statements as a Whole

Supplementary Information in Relation to the Financial Statements as a Whole Supplementary Information in Relation to the F/S 2237 AU Section 551 Supplementary Information in Relation to the Financial Statements as a Whole (With SAS No. 118, supersedes former section 551, Reporting

More information

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors) Special Considerations---Audits of Group Financial Statements 607 AU-C Section 600 Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors) Source: SAS No.

More information

Data Analytics Working Group Update

Data Analytics Working Group Update Working Group Update Bob Dohrer, IAASB Member and Working Group Chair IAASB Meeting June 2015 Agenda Item 3-A Page 1 Audit Data Analytics Agenda Current Landscape What Is It? Audit Data Analytics and the

More information

Agreed-Upon Procedures Engagements

Agreed-Upon Procedures Engagements Agreed-Upon Procedures Engagements 1323 AT Section 201 Agreed-Upon Procedures Engagements Source: SSAE No. 10; SSAE No. 11. Effective when the subject matter or assertion is as of or for a period ending

More information

Proposed Consequential and Conforming Amendments to Other ISAs

Proposed Consequential and Conforming Amendments to Other ISAs IFAC Board Exposure Draft November 2012 Comments due: March 14, 2013, 2013 International Standard on Auditing (ISA) 720 (Revised) The Auditor s Responsibilities Relating to Other Information in Documents

More information

Proposed Auditing Standard: Inquiry Regarding Litigation and Claims (Re-issuance of AUS 508)

Proposed Auditing Standard: Inquiry Regarding Litigation and Claims (Re-issuance of AUS 508) EXPOSURE DRAFT ED 27/05 (December 2005) Proposed Auditing Standard: Inquiry Regarding Litigation and Claims Prepared and Issued by the Auditing and Assurance Standards Board Commenting on this Exposure

More information

MORRISON I FOERSTER. Legal Updates & News. A Guide to the Impact of SAS 70 on Outsourcing Projects January 2008 by Alistair Maughan, Susan McLean

MORRISON I FOERSTER. Legal Updates & News. A Guide to the Impact of SAS 70 on Outsourcing Projects January 2008 by Alistair Maughan, Susan McLean MORRISON I FOERSTER Legal Updates & News Legal Updates A Guide to the Impact of SAS 70 on Outsourcing Projects January 2008 by Alistair Maughan, Susan McLean Related Practices: Sourcing The worlds of outsourcing

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

Staff Paper. IFRIC Meeting Agenda reference 18. Going concern disclosure. Purpose of this paper

Staff Paper. IFRIC Meeting Agenda reference 18. Going concern disclosure. Purpose of this paper IFRIC Meeting Agenda reference 18 Staff Paper Date May 2009 Project Topic IAS 1 Financial Statement Presentation Going concern disclosure Purpose of this paper 1. The purpose of this paper is to document

More information

) ) ) ) ) ) ) ) ) ) ) )

) ) ) ) ) ) ) ) ) ) ) ) 1666 K Street, NW Washington, DC 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org AUDITING STANDARD No. 16 COMMUNICATIONS WITH AUDIT COMMITTEES; RELATED AMENDMENTS TO PCAOB STANDARDS;

More information

Data Analytics Working Group Update

Data Analytics Working Group Update Working Group Update Bob Dohrer, IAASB Member and Working Group Chair IAASB CAG Meeting September 2015 Agenda Item L.1 Page 1 Audit Data Analytics Agenda Current Landscape Audit Data Analytics and the

More information

Reporting on Pro Forma Financial Information

Reporting on Pro Forma Financial Information Reporting on Pro Forma Financial Information 1381 AT Section 401 Reporting on Pro Forma Financial Information Source: SSAE No. 10. Effective when the presentation of pro forma financial information is

More information

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report Service Organization Controls Managing Risks by Obtaining a Service Auditor s Report Contributing Authors Audrey Katcher, CPA/CITP, Partner at RubinBrown, LLP Janis Parthun, CPA/CITP, Sr. Technical Manager

More information

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS Jeff Cook November 2015 Summary Service Organization Control (SOC) reports (formerly SAS 70 or

More information

October 1, 2015. Ms. Sherry Hazel American Institute of Certified Public Accountants 1211 Avenue of the Americas, 19 th Floor New York, NY 10036-8775

October 1, 2015. Ms. Sherry Hazel American Institute of Certified Public Accountants 1211 Avenue of the Americas, 19 th Floor New York, NY 10036-8775 Deloitte & Touche LLP 695 E Main Street Stamford, CT 06901-2150 Tel: +1 203 761 3000 Fax: +1 203 761 3013 www.deloitte.com October 1, 2015 Ms. Sherry Hazel American Institute of Certified Public Accountants

More information

First Time Adoption of International Financial Reporting Standards Guidance for Auditors on Reporting Issues

First Time Adoption of International Financial Reporting Standards Guidance for Auditors on Reporting Issues August 2004 Questions and Answers First Time Adoption of International Financial Reporting Standards Guidance for Auditors on Reporting Issues First Time Adoption of International Financial Reporting Standards

More information

IAASB Main Agenda (June 2010) Agenda Item. April 28, 2009

IAASB Main Agenda (June 2010) Agenda Item. April 28, 2009 Agenda Item 8-B Statement of Position 09-1 April 28, 2009 Performing Agreed-Upon Procedures Engagements That Address the Completeness, Accuracy, or Consistency of XBRL-Tagged Data Issued Under the Authority

More information

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements PLAN NAME: PLAN YEAR END: CLIENT NUMBER: SCOPE OF PLAN AUDIT: LIMITED FULL Note:

More information

Practice Guide. Reliance by Internal Audit on Other Assurance Providers

Practice Guide. Reliance by Internal Audit on Other Assurance Providers Practice Guide Reliance by Internal Audit on Other Assurance Providers DECEMBER 2011 Table of Contents Executive Summary... 1 Introduction... 1 Principles for Relying on the Work of Internal or External

More information

Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1

Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1 Auditing Derivative Instruments 1915 AU Section 332 Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1 (Supersedes SAS No. 81.) Source: SAS No. 92. See section 9332 for

More information

INTERNATIONAL STANDARD ON REVIEW ENGAGEMENTS 2410 REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY CONTENTS

INTERNATIONAL STANDARD ON REVIEW ENGAGEMENTS 2410 REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY CONTENTS INTERNATIONAL STANDARD ON ENGAGEMENTS 2410 OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY (Effective for reviews of interim financial information for periods beginning

More information

The Auditor s Communication With Those Charged With Governance

The Auditor s Communication With Those Charged With Governance The Auditor s Communication With Governance 2083 AU Section 380 The Auditor s Communication With Those Charged With Governance (Supersedes SAS No. 61.) Source: SAS No. 114. Effective for audits of financial

More information

Financial Forecasts and Projections

Financial Forecasts and Projections Financial Forecasts and Projections 1345 AT Section 301 Financial Forecasts and Projections Source: SSAE No. 10; SSAE No. 11; SSAE No. 17. Effective when the date of the practitioner s report is on or

More information

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Letters for Underwriters and Certain Other Requesting Parties

Letters for Underwriters and Certain Other Requesting Parties Letters for Underwriters 2341 AU Section 634 Letters for Underwriters and Certain Other Requesting Parties (Supersedes SAS No. 49.) Source: SAS No. 72; SAS No. 76; SAS No. 86. See section 9634 for interpretations

More information

Independent Accountants Report

Independent Accountants Report KPMG LLP 345 Park Avenue New York, NY 10154-0102 Independent Accountants Report To the Management of Unisys Corporation: We have examined the assertion by the management of Unisys Corporation (Unisys)

More information

Auditing Standard ASA 600 Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors)

Auditing Standard ASA 600 Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors) ASA 600 (October 2009) Auditing Standard ASA 600 Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors) Issued by the Auditing and Assurance Standards Board

More information

accounting alert New Wording for the Independent Auditor s Report

accounting alert New Wording for the Independent Auditor s Report Certified Public Accountants accounting alert 2006-04: December 14, 2006 New Wording for the Independent Auditor s Report In a capsule A new wording for the independent auditor s report with unqualified

More information

Management s Discussion and Analysis

Management s Discussion and Analysis Management s Discussion and Analysis 1473 AT Section 701 Management s Discussion and Analysis Source: SSAE No. 10. Effective when management s discussion and analysis is for a period ending on or after

More information

Compilation of Financial Statements

Compilation of Financial Statements Compilation of Financial Statements 2011 AR Section 80 Compilation of Financial Statements Issue date, unless otherwise indicated: December 2009 See section 9080 for interpretations of this section. Source:

More information

SSARS 19. Objectives and Limitations of Compilation and Review Engagements. Hierarchy of Compilation and Review Standards and Guidance

SSARS 19. Objectives and Limitations of Compilation and Review Engagements. Hierarchy of Compilation and Review Standards and Guidance SSARS 19 The Accounting & Review Services committee has issued Statement on Standards for Accounting & Review Services No. 19. Generally the standard is effective for compilations and reviews of financial

More information

SCHEDULES OF CHAPTER 40B MAXIMUM ALLOWABLE PROFIT FROM SALES AND TOTAL CHAPTER 40B COSTS EXAMINATION PROGRAM

SCHEDULES OF CHAPTER 40B MAXIMUM ALLOWABLE PROFIT FROM SALES AND TOTAL CHAPTER 40B COSTS EXAMINATION PROGRAM 7/30/07 SCHEDULES OF CHAPTER 40B MAXIMUM ALLOWABLE PROFIT FROM SALES AND TOTAL CHAPTER 40B COSTS Instructions: EXAMINATION PROGRAM This Model Program lists the major procedures and steps that should be

More information

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report Service Organization Controls Managing Risks by Obtaining a Service Auditor s Report Contributing Authors Audrey Katcher, CPA, CITP, Partner at RubinBrown, LLP Janis Parthun, CPA, CITP, Sr. Technical Manager

More information

Audit Considerations Relating to an Entity Using a Service Organization

Audit Considerations Relating to an Entity Using a Service Organization Audit Considerations Relating to an Entity 349 AU-C Section 402 Audit Considerations Relating to an Entity Using a Service Organization Source: SAS No. 122; SAS No. 128. Effective for audits of financial

More information