Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

Transcription

1 SAS 70 EVOLUTION: Here comes SSAE 16 PLANNING FOR THE NEW SERVICE ORGANIZATION REPORTING STANDARDS The prevalence of SAS 70 audits has grown dramatically since the standards issuance in April of The importance of the standard cannot be understated in the value it has provided, serving the needs of service providers, user organizations and user auditors to report on the effectiveness of service organizations internal controls. Major changes effective June 15, 2011: 1. More detailed requirements for the description of the service organization s system of controls. 2. Adds a written assertion from management. 3. Adds a risk analysis. 4. Increases clarity and reporting requirements for the use of subservice organizations. 5. Changes auditor opinion on control design effectiveness from a single date to the entire period of time covered by the report. Service organizations of all sizes have demonstrated their commitment to internal controls by proactively obtaining a Service Auditor s Report. However, the increasing importance of effective controls and reporting processes, combined with globalization and regulatory concerns, have prompted the issuance of a new standard that replaces SAS 70 for US based service organizations. How will the new standard affect my business? How do I prepare to meet the new requirements? In April 2010, the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 supersedes Statement on Auditing Standards No. 70, Service Organizations (SAS 70). SSAE 16 is applicable when an entity (the user entity) outsources a business task or function to another entity (the service organization) and the data resulting from that task or function is incorporated in the user entity s financial statements. For example, if a health insurance company outsources its medical claims processing, and the resulting claims data is used to record its claims expense and related liability, the insurance company is responsible for the accuracy of the data even though the data is generated by the claims processor.

2 While similar to SAS 70, the new SSAE will require changes to service organizations reports and reporting processes. For some service organizations, these changes will be relatively minor. For others, significant efforts will be required to change their reports, reporting processes or both. To determine the impact of and how best to plan for implementation of the new standards, service organizations need to understand the following: Reasons for the new SSAE and timing Service organization responsibilities under the new SSAE Action steps to implement the new SSAE Reasons for the new SSAE and timing While SAS 70 has worked effectively for many service organizations, a number of factors resulted in the need for the new SSAE, including: 1) The globalization of business process outsourcing Business process outsourcing has grown from regional shared service organizations created by specific industries to multinational and local organizations serving many different industries for a mixture of local, regional and international organizations. As a result, the information required in a SAS 70 report may no longer be sufficient for user entities. 2) The movement to align the US accounting standards with international standards While it is used globally, SAS 70 is a US standard, and engagements must be performed in accordance with the AICPA US Auditing Standards. Consequently, current reports may not respond to the needs of user entities and their auditors outside the US. SSAE 16 will correspond almost in its entirety with the IAASB (International Auditing and Assurance Standards Board) issued regulation ISAE Before After Effective 3) Service organization s report versus service auditor s report SAS 70 was developed as an auditor-to-auditor communication; a way for the service auditor to share audit workpapers with the user auditor, who then could rely on this work in planning and executing the financial statement audit. However, the regulatory landscape has seen significant changes, and governments, regulators, boards of directors and financial statement users are placing ever-increasing emphasis on internal control over financial reporting. These stakeholders, as well as the user auditors, now need a report from and by the service organization describing its internal control. This, in turn, significantly increases the importance of management s description of its system. The independent service auditor s opinion remains critical, but its role is as a provider of assurance, not the entity responsible for the communication. Service organization SERVICE AUDITOR SAS 70 SSAE 16 June 15, 2011 SERVICES SAS 70 User entity USER ENTITY AUDITOR New SAS TBD: Clarified auditing standard for user entities. December 16, 2012 (Anticipated) Timing The new standard is effective for reports for periods ending on or after June 15, 2011, with early adoption permitted. Because many reporting periods cover 12 months and begin in July, SSAE 16 affected many organizations as early as July 1, 2010.

3 Service organization responsibilities under the new SSAE Under the new SSAE, service organizations will be affected by five significant changes in responsibility not previously seen under SAS 70: 1. Describing the service organization s system Under SAS 70, a service organization provides a description of controls. Under SSAE 16, a service organization provides a description of its system as designed and implemented. The service organization s description of its system would include the following: (1) the services provided, including classes of transactions processed; (2) the procedures by which services are provided, including transaction initiation, authorization, recording, processing, and correction; (3) the capturing of significant events and conditions other than transactions; and (4) the process used to prepare reports of information provided to user entities. 2. Management s assertion SSAE 16 requires that management must provide a written assertion to be placed in the report. The assertion must communicate (1) the service organization management s responsibility for the description of controls and (2) the achievement of the evaluation criteria of the description of the system. 3. Risk Analysis SSAE 16 requires the service organization to support management s assertion through identifying risks that threaten the achievement of the control objectives. It must also determine whether the controls would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives from being achieved. 4. Subservice organization involvement Similar to SAS 70, under SSAE 16 the carve-out and inclusive methods are still available for dealing with services provided by subservice organizations in the report. However, if a service organizations involvement requires the use of the inclusive method, the subservice organization must prepare a management assertion report similar to the assertion report prepared by the service organization s management. Getting subservice organization management to agree to provide this assertion may be more difficult than obtaining a letter of representation. (Note: a letter of representation from the subservice organization is still required.) This is even more likely to be a challenge when the subservice organization is a small unit of a much larger organization. 5. Period of control operating effectiveness In a Type 2 engagement, the description of the service organization s system will cover a period of time (e.g. 6 or 12 months), rather than being as of a specified date. Previously under SAS 70, the auditor s opinion only covered the controls placed in operation at a single point in time. The guidance for user auditors, currently in AU Section 324, will be unchanged until a currently proposed SAS for user auditors, Audit Considerations Relating to an Entity Using a Service Organization (Redrafted), becomes effective. The proposed SAS does not contain any significant changes for user auditors. SSAE 16 will be located in Section 801 of the attestation standards. SSAE 16 is effective for service auditor s reports for periods ending on or after June 15, 2011, with earlier implementation permitted.

4 Action steps to help your company implement the new SSAE There are several key steps required to implement the new SSAE standard. 1. Determine when to implement - The implementation date for the adoption of the new SSAE has some important considerations. The New Standards must be adopted for periods ending on or after June 15, 2011, with earlier adoption permitted. Service organizations should consider the potential benefits of early adoption, including whether: Market benefits exist for early adoption of the new SSAE by demonstrating your understanding of their risk requirements and compliance needs; Non-US user entities have a preference for reports issued under the international standard; Determine whether subservice organizations will be treated under the inclusive method and the challenges resulting from this method. 2. Notify subservice organizations All subservice organizations used should be considered with the implementation of the new SSAE. If a current SAS 70 report uses the inclusive method for one or more subservice organizations, early discussions with the subservice organization(s) are critical. An assertion report from subservice organization management may be difficult to obtain. Early communication with subservice organization management will reduce the risk of the subservice organization refusing to provide an assertion report when the final report is issued. Consider modifying the reporting approach if the inclusive method is used if a service provider obtains their own report on their internal controls, either under SSAE 16, SAS 70, or other acceptable standard. If a subservice organization has an acceptable report for the services it provides to you and your customers, it is usually easier to provide your customers with a copy of the subservice organization s report and limit your report to only your processes. You should discuss this reporting strategy with these subservice organizations. 3. Notify your customers A change management plan should be developed for controlling communication of the new SSAE and roll-out of your future report under the SSAE standard. Your service organization report is one part of your service portfolio. The term SAS 70 report has become the generic term for service organization reports and has developed its own brand identity. However, as of the effective date of the new SSAE, SAS 70 will no longer be accurate, so converting to the term Service Auditor s Report is appropriate. In preparing for the change you should consider: How you will communicate the changes in the New Standards to your clients. Multiple communications may help them understand the nature of the change, including a cover letter attached to the first report issued under the new standard explaining the change. If you do not early-adopt the new SSAE standard in 2010, you should consider communicating your implementation plans in the 2010 report. Review your standard contracts to determine whether the term SAS 70 is used. Consult with your legal counsel regarding any required changes and assess the impact on existing contracts. Make sure that your sales and client service personnel understand the pending change and its impact to your clients. Their ability to explain the change can reduce client confusion and uncertainty.

5 For more information on the Standards for Attestation Engagements (SSAE) No. 16, contact: 4. Review your system description and the description of all relevant controls As mentioned, many existing SAS 70 reports will need only minor modifications to comply with the new SSAE, but some reports will require more extensive modifications. In updating your report for the new standard, you should consider reviewing the criteria used to evaluate the description(s) of the system(s). While the standard sets minimum criteria for the description, other criteria may be appropriate to include. You should consult with us as part of this process. LARRY HESSNEY Director Re-evaluate the risks facing your organization against your existing control objectives As previously described, the risks that threaten the achievement of the control objectives are required to be identified and stated in the description. The identified controls would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved. Your control objectives should focus only on those aspects of your services that can affect your clients financial statement assertions. Consider whether your control objectives are complete, and evaluate whether all of them are necessary. In identifying the risks, use your risk assessment process. Most organizations perform regular risk assessments, either formally or informally. These risk assessments address both financial and operating risks, including risks of not meeting service-level agreements. F R E E D M A X I C K. C O M BUFFALO 420 Main Street Suite 800 Buffalo, NY BATAVIA One Evans Street Batavia, NY ROCHESTER 100 Meridian Centre Suite 310 Rochester, NY

6 F R E E D M A X I C K. C O M