New norms for service cos' reporting

MP Badrinath | Updated on January 17, 2011

Come June 2011, SAS 70 in its present form will become history and make way for SSAE 16 by American Institute of Certified Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 by International Auditing and Assurance Standards Board (IAASB). Together, SSAE 16 and ISAE 3402 are called the New Standards. This turn of events comes at a time when service organizations were just getting accustomed to SAS 70 and understanding its effect on their organizations and businesses.

Why do we need the change? Let us understand the reasons behind change in general and this change, in particular.

SAS 70 has perhaps outlived its utility and not kept pace with developments, except a few significant modifications since the system was issued in April 1992. The increasing importance of effective controls and reporting process, combined with globalization and regulatory concerns, have prompted the issuance of two new standards as replacements of SAS 70 for service organizations.

Why new standards?

SAS 70 is essentially auditor-to-auditor communication. The significant change in the regulatory landscape has brought in other stakeholders such as regulators, governments, boards of directors and financial-statement users, who are placing increasing emphasis on internal control over financial reporting. These stakeholders, in addition to auditors, need a report from and by the service organization, describing its internal controls. This requirement significantly increases the importance of the management’s description of the system. Even in the new dispensation, the service auditor’s opinion is critical, but its role is that of an assurance provider and not that of the entity responsible for the communication.

The next reason is the globalization of business process outsourcing. Business process outsourcing has grown from regional shared service organizations for specific industries to multi-national organizations serving all types of organizations.

Another reason is the need to respond to the requirements of user entities and their auditors outside the US. This is because although it is used globally, SAS 70 is essentially a US standard conforming to AICPA US auditing standards.

Service organization responsibilities under the New Standards

The most visible difference between a report prepared under SAS 70 and a report prepared under the New Standards is the management’s written assertion. The assertion is a separate component of the report charted out on the service organization’s letterhead and signed by member(s) of management. They take responsibility for the description of the system and communicate the achievement of the evaluation criteria of the system’s description. Another responsibility is that of identifying risks that threaten the achievement of control objectives. However, these risks need not be described or specifically identified in the service organization’s description of the system.

Other changes include the following:

Preparing and presenting a complete and accurate description of the system.

Specifying control objectives of the system and stating those control objectives in the description of the system.

Identifying risks that threaten the achievement of the control objectives, although the risks are not included in the service organization report.

Designing, implementing and maintaining controls to provide reasonable assurance that the control objectives will be achieved.

Changes to service auditor responsibilities under the New Standards:

Next, we consider the changes to the service auditor responsibilities under the New Standards. From being an audit standard under SAS 70, the standard is now part of the AICPA attestation standard under SSAE 16. This technical change was made to help service auditors through the elimination of certain inconsistencies and ambiguities. Another change that service auditors need to take note of is in the use of work done by the internal audit function. While SAS 70 and the New Standards permit the use of the work done by the internal audit function, under the New Standards, the service auditor, for a type-2 report, is required to describe the work performed by the internal audit function as well as the procedures used to test that work. Although it is not prescribed how this information needs to be presented, it is suggested that the description be provided in the introduction to the service auditors’ test.

Impact on reports with inclusive sub-service organizations

Due consideration is required for changes in handling an inclusive sub-service organization. Sub-service organizations are also required to prepare a management assertion report similar to the assertion report the service organization’s management prepares. This could be a herculean task when compared to obtaining a letter of representation from sub-service organizations for SAS 70.

Action steps to help service organization implement the New Standards

One of the first steps will be the date of adoption. As mentioned previously, the New Standards are effective for reports issued on or after 15 June 2011, and earlier adoption is permitted.

The next step will be to determine whether sub-service organizations will be treated under the inclusive method. If it is going to be an inclusive report, early discussions with the service organizations are critical. This will reduce the risk of the sub-service organizations refusing to provide an assertion report when the final report is issued.

This is followed by developing a change management plan to deal with service organizations’ clients and to ensure that service organizations’ sales personnel understand the changes. It is also important that service organizations communicate the changes to the user organizations to help them understand the nature of the changes.

Service organizations should review master services agreements to evaluate the mention and usage of SAS 70. Further, legal counsels should be consulted regarding required changes and an assessment of the impact on existing contracts.

Last but not least, service organizations should review the system description and identify requisite changes.

Welcome SSAE 16.

Reference: “AU0430- Planning for the new service organization reporting standards,” Ernst & Young IT Risk and Assurance insights — service organization reporting, Issue 4, June 2009.

(The author is Director, Risk Advisory Services, Ernst & Young Pvt. Ltd.)

Published on January 17, 2011

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

This article is closed for comments.
Please Email the Editor