International standards will be replacing SAS 70 audits soon. These new standards will bring more flexibility and responsibility for service organizations. We’ve laid out some information below to help you understand the change. For more information, please contact us.
The International Auditing and Assurance Standards Board (IAASB) felt a need for a common auditing standard to address the varying differences in each countries audit requirements. As a result the IAASB formed and issued the International Standard on Assurance Engagements (ISAE) 3402 ‘Assurance Report on Controls at a Service Organization’ on December 18, 2009. ISAE 3402 is not a means to replace country specific standards (i.e. SAS 70) but to provide reporting option to address current limitations. The new AICPA standard SSAE 16 will replace the existing SAS 70 standard effective June 15, 2011 and early adoption is permitted.
What has changed?
Although there were many discussions that the AICPA would expand the SAS 70 scope beyond financial reporting relevance this is not the case for SSAE 16; however they have provided guidance to cover this limitation under AT Section 101. Below is a summary of the changes affecting the current SAS 70 standard:
- Management is responsible for a description of their system. Previously management was only responsible for the description of controls.
- Management is responsible for providing a written assertion statement supporting their systems description.
- Subservice organizations that are included via the inclusive method are also required to include a written assertion statement similar to the service organization.
- The service auditors’ opinion will change and is now required to report of the design of the system throughout the audit period.
- A requirement to explain the use of internal audit or management testing.
How can service organizations prepare?
- Start communication with your auditor and user organizations.
- Identify the needed changes to your current SAS 70 audit.
- Assess how this will impact your compliance efforts and develop a plan immediately.
How is ISAE 3402 or SSAE 16 going to affect service organizations?
- Service organizations are going to be required to sign off on an assertion confirming the accuracy of the description of their system and that their control activities were operating effectively.
- Service organizations are going to need to perform an assessment of their controls (monitoring procedures) in order to sign off on their assertion.
- A full description is now required for processes and controls covered in your SAS 70 audit report (many organizations already cover this requirement; however there are a number of reports issued over the past years with very limited descriptions).
- A risk assessment over the scope of your audit to determine the adequacy of your controls.
It is highly recommended that organizations start preparing for the upcoming changes to the SAS 70 audit standard. Some organizations may face significant road blocks on completing future engagements after the changes to the SAS 70 audit standard become effective.
Our Risk Advisory professionals would love to answer your questions about the changing audit standards. Please feel free to leave a comment below or give us a call at 440-449-6800.
For more information on SOC reporting, please post a comment below or contact our Risk Advisory Services Group at 440-449-6800.
Looking for additional ways to grow your business? Visit us at www.skodaminotti.com. Or, subscribe to the Skoda Minotti Blog, follow us on LinkedIn, Twitter @skodaminotti, and Facebook or simply contact us at any one of our four office locations: Cleveland, Akron, Westlake or Tampa.