Editor's Note: The following is an excerpt from Attorney's Handbook of Accounting, Auditing and Financial Reporting, new Chapter 11 (Matthew Bender).
Statement on Auditing Standards (SAS) No. 70, "Service Organizations," was designed to assist an independent accountant who audits the financial statements of entities, which, in turn, use "service organizations" (e.g., payroll processors, investment managers, electronic data centers that manage hosting and disaster-recovery procedures, claims receipts and payment administrators, etc.) to perform a variety of organizational tasks.
In 2010, the AICPA and its global counterpart, the International Auditing and Assurance Standards Board (IAASB), superseded SAS 70 by issuing new standards relating to the preparation and use of a report on a service organization's controls.
Beginning in mid-2011, reports on controls at service organizations will be performed in accordance with one of the following new attestation standards:
- Statement on Standards for Attestation Engagements No.16 (SSAE 16), "Reporting on Controls at a Service Organization," and
- International Standards on Attestation Engagements No. 3402 (ISAE 3402), "Assurance Reports on Controls at a Service Organization."
Because SASs provide guidance principally on the audits of financial statements, the guidance relating to the examination of controls at a service organization will be removed from SAS 70 and placed in an SSAE, which is the type of pronouncement used when it is appropriate to provide assurance on other types of subject matter. Indeed, SSAE 16 is the standard that will replace the service-auditing portion of SAS 70 in the United States -- though it is expected to take some time before the well-recognized term, "SAS 70," disappears from the vernacular.
SSAE 16 is expected to be the pronouncement most favored by those service organizations the customers of which are primarily based in the United States. Although service organizations with a global reach may use SSAE 16, they may decide instead that ISAE 3402 would communicate more effectively with those customers used to international accounting and auditing processes.
As with SAS 70, a SSAE 16 or ISAE 3402 examination will focus on controls relevant to a user entity's internal control over financial reporting. Under the new standards there will continue to be two types of reports:
- Type 1: Report on Management's Description of a Service Organization's System and the Suitability of the Design of Controls, and
- Type 2: Report on Management's Description of a Service Organization's System and the Suitability of the Design and Operating Effectiveness of Controls.
In general, differences between the old and new standards are subtle; for example, a service auditor's opinion will still be based on overall objectives similar to those of SAS 70. Nonetheless, each incorporates a number of modifications and changes, one of the most significant of which is a requirement for a "management assertion" section within both Type 1 and Type 2 reports. Going forward, this means that management will need to provide a written declaration in the body of the report about the fair presentation of the description of its system, the suitability of the design of the controls, and, in the case of a Type 2 report, the operating effectiveness of the controls.
RELATED LINKS: Comprehensive coverage provided by the Attorney's Handbook of Accounting, Auditing and Financial Reporting is available in print at the LexisNexis® Store.
LEXIS users can also access additional insight by visiting LexisNexis® Tax Center online:
Discover the features and benefits of LexisNexis® Tax Center
For quality Tax & Accounting research resources, visit the LexisNexis® Store