MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS

Transcription

1 Mayer Hoffman McCann P.C. An Independent CPA Firm

2 MHM S AUDITING PERSPECTIVE: STANDARD NO. 5 Since its issuance in 1992, the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards No. 70 (SAS 70) has been the gold standard in performing audits of internal control on service organizations. With the prevailing momentum of Sarbanes-Oxley regulation in 2002 and the proliferation of internet driven application technologies reaching a global audience, SAS 70 became widely popular to those service organizations that had increased accountabilities to their client partners (user organizations) and auditors (user auditors) alike. Perhaps attributed to its growing name recognition during this time, SAS 70 became the audit standard of choice for many service organizations with an international client base. Given the rapid growth of the service organization business model, the need to accommodate a much more international audience was imminent. Accordingly, the move by the AICPA s Auditing Standards Board (ASB) to update the guidelines by which service organizations and service auditors have abided by for many years has proven to be necessary and relevant to the service organization model of today. SAS 70: Ground Rules To put it simply, SAS 70 provides a report on a service organization s internal control related to financial statement assertions of user organizations. Although a myriad of rules and guidelines apply to both service organizations and service auditors alike, a lot of which are beyond the scope of this white paper, the following are ones that provide both general and distinct facts of SAS 70: A U.S. based audit standard established by the AICPA. Other countries have their own guidelines of performing service organization audits (e.g. United Kingdom Audit and Assurance Faculty Standard (AAF) 01/06; Canada Canadian Institute of Chartered Accountants (CICA) 5970; and Germany IDW PS 951). Are not based on pre-established control objectives. Page 1

3 MHM S AUDITING PERSPECTIVE: STANDARD NO. 5 Limited to service organization controls related to financial statement assertions of user organizations. Do have scope exclusions such as business continuity, disaster recovery, privacy, and other non-financial related assertions. Are limited in its report distribution to the service organization s clients and their auditors. Are not marketable to a service organization s prospective client base. Why the Change to a New Standard? Service Organizations with a Global Footprint: The reality of today is that many service organizations reach a global client audience whereby, in some cases, audit reports are expected based on the standards issued by the appointed governing body of a particular country. Consequently, service organizations have had to absorb extensive costs to accommodate country specific regulations to where their clients reside. To help alleviate this issue, the International Auditing and Assurance Standards Board (IAASB) issued International Standard on Assurance Engagements 3402, or ISAE 3402, with the main premise of offering a universal audit standard complementary to those standards common to many country specific regulations that govern the requirements of service organization audits. Following suit, the AICPA s Auditing Standards Board (ASB) decided to review the existing SAS 70 standard with the intent to more closely align with the IAASB s ISAE 3402, all in an effort to accommodate the needs of a burgeoning international client market. Lessons Learned By the ASB: In addition to its efforts to demonstrate an alliance with the IAASB as mentioned earlier, the ASB also used the opportunity to re-think the nature of service organization audits and whether Page 2

4 MHM S AUDITING PERSPECTIVE: STANDARD NO. 5 they rightfully deserve to fall under audit vs. attest standards, with those standards being Statement on Auditing Standards (SAS) and Statement on Standards for Attestation Engagements (SSAE), respectively. After much deliberation, the ASB determined that an examination of a description of a system and controls is not an audit of financial statements (i.e. which would fall under SAS ) and is instead closer aligned with subject matter or an assertion other than the fairness of the presentation of financial statements (i.e. which would fall under SSAE ). Thus, the decision to change the standards to which both service organizations and service auditors have historically abided by (i.e. from SAS 70 to SSAE No. 16 or SSAE 16) was conceived. What Are the Changes? In acknowledgement of its support of ISAE 3402 and its decision to modify the principle of how service organization audits should be perceived, the ASB released SSAE No. 16, or SSAE 16, with the underlying intent of SSAE 16 to serve two primary purposes: 1) As a way to substantiate the ASB s standards, thus replacing SAS 70 with SSAE 16 effective for periods ending on or after June 15, 2011 (with earlier implementation permitted); and 2) To offer new guidance that more closely aligns with ISAE The following table outlines some relationships and differences primarily between SAS 70 and SSAE 16 with ISAE 3402 guidance used for comparative purposes. Scope Topic SAS 70 SSAE 16 ISAE 3402 Limited to controls related to financial statement assertions of user organizations. Limited to controls related to financial statement assertions of user organizations. Controls can extend beyond financial reporting such as operational risk, privacy, wider regulatory compliance, business continuity, and disaster recovery. Page 3

5 MHM S AUDITING PERSPECTIVE: STANDARD NO. 5 Topic SAS 70 SSAE 16 ISAE 3402 Management Assertion* No management assertions are required other than certain representations made by management as defined in the management representation letter. Management of the service organization will now be required to provide the service auditor with a written assertion about the fairness of the presentation of the description of the system, and about the suitability of the design and, in a Type 2 engagement, the operating effectiveness of the controls. Same as SSAE 16 Service Auditor s Opinion For Type II engagements, the description of the service organization s system and the service auditor s opinion on the description is as of a point in time. For Type II engagements, the description of the service organization s system and the service auditor s opinion on the description will cover a period of time. Same as SSAE 16 Use of the Work of the Service Organization s Internal Audit Function For Type II engagements, if the service auditor uses work performed by internal auditors of the service organization, the service auditor should take responsibility for that work, and should neither make reference to nor attribute the performance of the tests and results of the tests to the internal auditors. For Type II engagements, if the service auditor uses work performed by internal auditors of the service organization, the section of the report that describes the service auditor s tests of controls and results should include a description of the internal auditor s work and of the service auditor s procedures with respect to that work. Same as SSAE 16 Management Representation Letter Management representations explicitly stated and acknowledged prior to issuance of report. Management representations including a reaffirmation of management s assertion. Same as SSAE 16 * See Appendix A for illustrative examples of Type 2 and Type 1 management assertion statements. Page 4

6 MHM S AUDITING PERSPECTIVE: STANDARD NO. 5 Topic SAS 70 SSAE 16 ISAE 3402 Subsequent Events Discussions Required Required Not Required Report Audience Restricted to intended users. Restricted to intended users. Restricted to user entities and their auditors, but may also include additional restrictive user language. So What Now?!? Although SSAE 16 is effective for service auditor reports for periods ending on or after June 15, 2011, earlier implementation is permitted. Given the ASB s final issuance of SSAE 16 as of March, 2010 and its allowance to consider early adoption, it is clear that the ASB believes early adoption of SSAE 16 for even audits performed in calendar year 2010 is a viable option. As a way to offer a road map to SSAE 16 adoption, MHM suggests the following action items: Appoint a designee(s) within your organization who will be tasked with developing management s assertion statement. This is the most significant change to come, and accordingly, thoughtful attention it deserves as you will be responsible in providing this communication as either a part of or addition to your SSAE 16 report. According to SSAE 16, the monitoring of controls is a process to assess the effectiveness of internal control performance over time. With the requirement of a management assertion statement, check with your service auditor to determine whether management s monitoring activities provide evidence of the design and operating effectiveness of controls in support of management s assertion. Page 5

7 Review existing controls and control objectives to determine whether you have adequately identified associated risks that may threaten the achievement of those control objectives. The development of a risk assessment undoubtedly will support your assertions related to the control objectives of your SSAE 16 audit report. If you choose to early adopt SSAE 16, service organizations should check with clients to confirm their acceptance. If you are currently using sub-service organizations that are included in your current SAS 70 audit (i.e. inclusive method), confirm with those organizations that they are prepared to accommodate for the SSAE guidelines, namely that a management assertion statement will apply to them as well. Consider performing a preparedness exercise or readiness assessment prior to the SSAE 16 audit itself. This will help service organizations anticipate any audit surprises that may come about especially given the fact that this will be both new to you and your service auditor. Get to know the SSAE 16 standard Although much of the standard applies to your service auditor, you should understand the standard holistically. SAS 70 audits have been used by many organizations as a marketing tool, communicate with your customer relationship/sales people about the change; essentially provide them with a basic understanding and an elevator speech. Likewise, management and operation executives will need to understand what they are getting out of the SSAE 16 audit and the differences with the historic SAS 70 audit. Educate your customers. You ve previously spent time trying to get them to understand what a SAS 70 audit is, and now you re going to throw the new term of SSAE 16 audit into conversation. Spend some time making sure they understand what the change is about and what the benefit or value is to them as a result of the change. Page 6

8 How MHM Can Help New standards that impact your organization can be overwhelming especially when you neither have the time and the resources to vet through policy documentation in granular detail. MHM is capable of providing direction related to SSAE 16 in many ways: With the requirement of providing a management s assertion statement that will contribute to the overall make-up of your SSAE 16 audit report, MHM can assist in the development of a risk assessment to support your assertions that you make related to the fairness of the presentation of the description of the system, the suitability of the design and, in a Type 2 engagement, the operating effectiveness of the controls. Remember that management s assertions are ultimately decided by management and not the service auditor. Assist you in evaluating the best options for both you and your customers. Assist you to determine whether early adoption of the standard is beneficial. Conduct limited testing and identify operating effectiveness gaps. Provide remediation recommendations to management for consideration prior to the actual attestation audit period. Provide guidance on the more subtle changes that will come along with the adoption of SSAE 16. As much branding and respect that the SAS 70 has achieved over the course of its existence, it is now time to begin thinking about its heir apparent SSAE 16 and the changes that it will usher in to your future audits. Adequate preparation and better understanding the impact that SSAE 16 will have on your organization will be the key ingredients to your success in the adoption of the new standard. Page 7

9 Apendix A The following illustrative management assertions are for guidance only and are not intended to be exhaustive or applicable to all situations. The assertion by management of the service organization may be included in management s description of the service organization s system or may be attached to the description. The following illustrative assertions are intended for assertions that are included in the description. Example 1: Assertion by Management of a Service Organization for a Type 2 Report XYZ Service Organization s Assertion We have prepared the description of XYZ Service Organization s [type or name of] system (description) for user entities of the system during some or all of the period [date] to [date], and their user auditors who have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities financial statements. We confirm, to the best of our knowledge and belief, that a. the description fairly presents the [type or name of] system made available to user entities of the system during some or all of the period [date] to [date] for processing their transactions [or identification of the function performed by the system]. The criteria we used in making this assertion were that the description i. presents how the system made available to user entities of the system was designed and implemented to process relevant transactions, including (1) the classes of transactions processed. (2) the procedures, within both automated and manual systems, by which those transactions are initiated, Page 8

10 authorized, recorded, processed, corrected as necessary, and transferred to the reports presented to user entities of the system. (3) the related accounting records, supporting information, and specific accounts that are used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports presented to user entities of the system. (4) how the system captures and addresses significant events and conditions, other than transactions. (5) the process used to prepare reports or other information provided to user entities of the system. (6) specified control objectives and controls designed to achieve those objectives. (7) other aspects of our control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the system. ii. does not omit or distort information relevant to the scope of the [type or name of] system, while acknowledging that the description is prepared to meet the common needs of a broad range of user entities of the system and the independent auditors of those user entities, and may not, therefore, include every aspect of the [type or name of] system that each individual user entity of the system and its auditor may consider important in its own particular environment. b. the description includes relevant details of changes to the service organization s system during the period covered by the description when the description covers a period of time. Page 9

11 c. the controls related to the control objectives stated in the description were suitably designed and operated effectively throughout the period [date] to [date] to achieve those control objectives. The criteria we used in making this assertion were that i. the risks that threaten the achievement of the control objectives stated in the description have been identified by the service organization; ii. the controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved; and iii. the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority. Example 2: Assertion by Management of a Service Organization for a Type 1 Report XYZ Service Organization s Assertion We have prepared the description of XYZ Service Organization s [type or name of] system (description) for user entities of the system as of [date], and their user auditors who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when obtaining an understanding of user entities information and communication systems relevant to financial reporting. We confirm, to the best of our knowledge and belief, that a. the description fairly presents the [type or name of] system made available to user entities of the system as of [date] for processing their transactions [or identification of the function performed by the system]. The criteria we used in making this assertion were that the description i. presents how the system made available to user entities of the system was designed and implemented to process relevant transactions, including (1) the classes of transactions processed. (2) the procedures, within both automated and manual systems, by which those transactions Page 10

12 are initiated, authorized, recorded, processed, corrected as necessary, and transferred to the reports presented to user entities of the system. (3) the related accounting records, supporting information, and specific accounts that are used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports provided to user entities of the system. (4) how the system captures and addresses significant events and conditions, other than transactions. (5) the process used to prepare reports or other information provided to user entities of the system. (6) specified control objectives and controls designed to achieve those objectives. (7) other aspects of our control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the system. ii. does not omit or distort information relevant to the scope of the [type or name of] system, while acknowledging that the description is prepared to meet the common needs of a broad range of user entities of the system and the independent auditors of those user entities, and may not, therefore, include every aspect of the [type or name of] system that each individual user entity of the system and its auditor may consider important in its own particular environment. b. the controls related to the control objectives stated in the description were suitably designed as of [date] to achieve those control objectives. The criteria we used in making this assertion were that Page 11

13 i. the risks that threaten the achievement of the control objectives stated in the description have been identified by the service organization. ii. the controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not provide the control objectives stated in the description from being achieved. For more information on this topic, please contact your MHM advisor, or visit us online at Copyright Mayer Hoffman McCann P.C. All rights reserved. Page 12