call 305 447 6750 800 S. Douglas Road Suite 940N Coral Gables, FL 33134 www.emrisk.com email: info@emrisk.com SSAE 16 and AT Section 101
A Changed Approach to Assurance Since 1992, Statement on Auditing Standard (SAS) 70 has been the source of guidance for service organizations, user entity external auditors, and service auditors. SAS 70 was recently divided and replaced by two new standards. The first standard is SAS Audit Considerations relating to an Entity Using a Service Organization that was developed for user entity external auditors. The Accounting Standards Board (ASB) has finalized this new auditing standard but it does not go into effect until December 15, 2012. Early implementation of this standard is not permitted. The second standard is Statement on Standards for Attestation Engagements (SSAE) 16 Reporting on Controls at a Service Organization, AT section 801 that was developed for the service auditor. SSAE 16 went into effect on June 15, 2011. SAS 70 was changed because external auditors rely on auditing standards to report on the audit of financial statements, whereas SSAE 16 provides guidance to the service auditor for reporting on the service organization s description of the system (including controls and control objectives) as they relate to financial reporting. The major changes between SAS 70 and SSAE 16 included the following: A written assertion by service organization management regarding the design and operating effectiveness of the description of the system (including controls and control objectives); The exclusion of evidence from prior periods on the satisfactory operation of controls to provide a basis for the reduction of testing in the current period; The identification of work performed by the service organization s internal auditors and the service auditor s procedures with respect to that work; and In a type 2 engagement, the service auditor s opinion on the design and operating effectiveness of the description of the system (including controls and control objectives) for a period rather than as of a specified date. The period referenced is the same period in which the description is reviewed (AICPA, 2011). SSAE 16 Guidance Expanded Again In the past, a SAS 70 review was often inappropriately used to report on controls related to compliance, systems, and processes that were clearly unrelated to user entity s internal controls relevant to financial reporting. Because of this confusion and lack of clarity in scope, the nature of a SSAE 16 review has been re-defined and the AICPA has SSAE 16 and AT Section 101 2
issued further guidance on providing assurance on user entity s controls that are unrelated to financial reporting. Reporting on user entity s controls relevant to financial reporting will continue to be performed under SSAE 16 guidance. However, reporting on user entity controls that are unrelated to financial reporting must now be performed under SSAE Attest Engagements, AT section 101. This standard allows a service auditor to report on subject matter other than financial statements. Attestation standards were developed to provide guidance on a growing number of services that CPAs have been requested to report on. The subject matter to be reported on in these services may include such things as: Historical or prospective performance or condition (for example, historical or prospective financial information, performance measurements, and backlog data); Physical characteristics (for example, narrative descriptions, square footage of facilities); Historical events (for example, the price of a market basket of goods on a certain date); Analyses (for example, break-even analyses); Systems and processes (for example, internal control); Compliance with laws, regulations, and contracts; and The effectiveness of controls over privacy (AICPA, 2009). Three New Reporting Options: SOC 1, SOC 2, and SOC 3 Service Organization Control (SOC) 1 Report An engagement conducted under SSAE 16 will now result in a Service Organization Control (SOC) 1 report. A SOC 1 engagement focuses on the reporting of user entity s controls relevant to financial reporting. A type I and II report remain the same where a type I report assesses the fairness of the description and the suitability of the design of controls to achieve control objectives. A type II report continues to include as assessment of the design of controls, but also includes an opinion on controls operating effectiveness, as well as tests of controls and associated results. Both types of assessments require an assertion by management, as defined in SSAE 16, and require that both types of reports be restricted to service organization clients, existing user entities, and user auditors. One of the most significant changes between SOC 1 and SOC 2 engagements pertains to the differentiation in scope and boundaries of the system of internal controls. In a SOC 1 engagement, the controls that achieve control objectives for financial statement assertions remain the same and include the following: Classes of transactions in the user entity s operations that are significant to the user entity s financial statements; Automated and manual procedures in which accounts/transactions are initiated, authorized, recorded, processed, and reported in the financial statements; The capture of other events and conditions that are significant to the financial statements; and The financial reporting process used to prepare the financial statements including significant accounting estimates and disclosures (AICPA, 2011). However, the scope of general computer controls to be defined in the description and assessed by the service auditor must be re-evaluated to ensure that information security, change management, and computer operations control objectives are only related to internal controls relevant to financial reporting and not comingled with overall objectives related to security, availability, processing integrity, confidentiality, or privacy of the system; as this is scope of a SOC 2 engagement. Changes in scope can be readily determined by re-focusing only on the general control objectives and associated controls related to the financial reporting application and the control environment that supports it. SOC 2 Report An engagement that provides assurance on controls at a service organization other than those relevant to user entity s internal controls over financial reporting is now performed under AT section 101 and is specifically called a SOC 2 engagement. A SOC 2 engagement assesses controls over one or more principles relevant to security, availability, processing integrity, confidentiality, or privacy. Assurance is provided on all of the system components of the principle being assessed using the criteria in the AICPA s Trust Services Principles Criteria and Illustrations. SSAE 16 and AT Section 101 3
Like a SOC 1 report, there are two types of SOC 2 reports; i.e. Type I and Type II. A type I report includes the following: Management s description of the service organization s system; A written assertion by management that the description of the system of controls Has been designed and implemented as of a specified date; Was suitably designed to meet the applicable trust services criteria as of a specified date A service auditor s report that expresses an opinion (AICPA, 2011). A type II report is similar to a Type I report except that it also needs to include an opinion on the operating effectiveness of controls, as well as the tests performed and associated results. In addition, when the description of controls addresses the privacy principle, management must include a statement that they complied with the commitments in their statement of privacy practices throughout the period. Specific tests and results related to this compliance must also be included. In both type I and II engagements management s written assertion should be attached to the description of the service organization s system. When the report addresses the privacy principle, the statement of privacy practices should also be attached to the description. Both type I and II SOC 2 reports should be restricted to management of the service organization and other specified parties. As noted previously in this paper, one of the most significant changes between a SOC 1 and SOC 2 engagement pertains to the differentiation in scope and boundaries of the system of internal controls. A SOC 2 engagement assesses controls over one or more principles relevant to security, availability, processing integrity, confidentiality, or privacy of all the system components related to each principle. Whereas, a SOC 1 engagement accesses controls related to financial transaction initiation, authorization, recording, processing, and reporting; and the general computer controls that support the financial reporting system. These boundaries need to be understood. For purposes of illustration, the AICPA provides the following illustration for a SOC 2 engagement: In a SOC 2 engagement that addresses the privacy principle, the system boundaries cover, at a minimum, all the system components, as they relate to the personal information lifecycle, which consists of the collection, use, retention, disclosure, and disposal or anonymization of personal information, within well-defined processes and informal ad hoc procedures, such as emailing personal information to an actuary for retirement benefit calculations. The system boundaries would also include instances in which the personal information is combined with other information (for example, in a database or system), a process that would not otherwise cause the other information to be included in the scope of the engagement. That notwithstanding, the scope of a privacy engagement may be restricted to a business unit or geographical location, as long as the personal information is not commingled with information from, or shared with, other business units or geographical locations (AICPA, 2011). From a SOC 2 perspective, the description of the system may include one or more information system resources that support the principles of security, availability, processing integrity, confidentiality or privacy and can include: The infrastructure the physical and hardware components of a system (facilities, equipment and networks); Software the programs and operating software of a system (systems, applications and utilities); People the personnel involved in the operation and use of system (developers, operators, users and managers); Procedures the automated and manual procedures involved in the operation of a system; and Data the information used and supported by a system (transaction streams, files, databases, and tables) (AICPA, 2011). Finally, guidance for performing a SOC 2 engagement also clarifies the meaning of the term security, and the difference between privacy and security. The term security can be interpreted more narrowly in a SOC 1 engagement versus a SOC 2 engagement. In a SOC 1 engagement, security refers more to the protection of information from unauthorized access or disclosure. However, in a SOC 2 engagement that addresses the privacy or confidentiality principle, security relates more to the authorization, protection, and integrity of SSAE 16 and AT Section 101 4
transactions throughout the system. As it relates to the difference between privacy and security, privacy is perceived to encompass a broader set of activities beyond security that contribute to the effectiveness of a privacy program (AICPA, 2011). SOC 3 Report A SOC 3 engagement is similar to a SOC 2 engagement; however, a SOC 3 report contain a limited description of the system, a written assertion from management, and an opinion. A SOC 3 report is designed to meet the needs of users who do not require the detail provided in a SOC 2 report. It is the AICPA s position that SOC 3 reports address a market need since both current and prospective customers may use them. As in a SOC 2 engagement, the criteria used for evaluating the design and operating effectiveness of controls in a SOC 3 engagement are the Trust Services Principles Criteria and Illustrations. A service organization that receives a SOC 3 engagement may also display the SysTrust for Service Organization seal on their website. SOC 3 reports are considered general use reports and can be distributed to the public including customers, regulators, business partners, suppliers, and management. An assertion by service organization management is required; however a report may still be issued without one. In this case, the form of the report will vary and should be restricted. Confusion All Over Again! Due to increasing internal control breakdowns, fraud and theft of confidential and private information, regulation related to internal controls continues to increase. With the benefits of outsourcing comes the transference of risk. User entity management needs to ensure and feel comfortable that their service organization s system has been updated for the new requirements. Management needs to ensure whether: Risk is sufficiently addressed. Does the service organization s control environment include a risk assessment process, information and communication systems and control and monitoring activities? The control environment is critical since it can have a pervasive impact as a whole as it relates to whether controls were suitably designed and operating effectively; They need to develop and/or implement new complementary controls due to changes in the service organization s description of their system; There is a change to the mix or percentage of operations handled by subservice organizations working with your service provider and whether the service organization s description adequately addresses this through the inclusive or carve out method. Often, relationships with subservice providers are not fully understood and can be minimized unintentionally in the service organization s report. Management must also develop more detailed assertions for SOC 1, 2 and 3 type engagements. This assertion must fully address the design and operating effectives of the description of the system (including controls and control objectives) for the new criteria. Numerous issues related to the service organization s description of the system have also arisen with the implementation of the new standards. Service organization management needs to ensure that: The scope of the description of the system is appropriate and complies with applicable regulatory requirements. General computer controls will differ between SOC 1 and SOC 2 engagements; Control objectives and associated controls address new requirements and criteria defined in the standards. The scope of a SOC 2 engagement addresses controls that are unrelated to financial reporting and include those that support security, availability, processing integrity, confidentiality or privacy principles; The AICPA s Trust Services Principles Criteria have been properly integrated into the description of the system. This criteria is necessary for a service auditor to perform a SOC 2 or SOC 3 engagement; and Risk assessment and management activities are updated and/or expanded as necessary. The AICPA has recently issued an Alert and two study guides on the changing dynamics of providing assurance services related to controls at service organizations. This guidance will help both user and service organization management become aware of the increased requirements and differences between the definition and scope of SOC 1, SOC 2, and SOC 3 engagements. SSAE 16 and AT Section 101 5
References AICPA. (2011). Service Organizations: New Reporting Options Alert, Strengthening Engagement Integrity Safeguarding Reporting. New York, NY: AICPA. AICPA. (2011). Service Organizations: Applying SSAE No. 16, Reporting on Controls at a Service Organization (SOC1). New York, NY: AICPA. AICPA. (2011). Reporting on Controls at a Service Organization (SOC 2). New York, NY: AICPA. Sherinsky, J.M. (2010). Replacing SAS 70 New Standards for Engagements Involving Outsourcing. Journal of Accountancy. Retrieved from http://www.journalofaccountancy.com/issues/2010/aug/20103009.htm Klein, M. (2011). SAS 70, SSAE 16, SOC and Data Center Standards. OTBlog. Retrieved from http://resource.onlinetech.com/sas-70-ssae-16-soc-2-and-soc-3-data-center-standards SSAE 16 and AT Section 101 6