The new service auditor standard and your business

On June 15, the American Institute of Certified Public Accountants’ reporting standard known as SSAE 16 effectively replaced the SAS 70 standard for U.S. service organizations to test their internal controls.With SSAE 16, AICPA has developed a reporting standard intended to better align with the globally accepted reporting standard on service organization controls, ISAE 3402. As a result, a global standard is now available for U.S. service providers that have an international presence.Initially, SAS 70 reports were intended to assist in the auditing of third-party service providers whose services affected a company’s financial controls. But over time, companies have expanded the use of these audit reports to include service providers whose services expose the company to compliance risks, generally, regardless of whether those services impact a company’s financial controls.For example, IT-related service providers (such as those that offer software as a service, cloud computing services and data center and co-location services) have routinely been asked to provide an SAS 70 report, whether or not the services that they offer actually support a company’s financial controls.Reliance on the SAS 70 standard became even more prevalent following the 2002 enactment of the Sarbanes-Oxley Act, which required public companies to evaluate and certify their internal controls that are relevant to financial reporting, whether those controls are in-house or are maintained by an outsourced service organization.As a result, SAS 70 audit reports evolved into an extension of a company’s internal governance and compliance programs. For obvious reasons, these reports were attractive assurances for executives who were now responsible for signing off on the Sarbanes-Oxley certifications.Accordingly, reports under SAS 70, and now SSAE 16, have emerged as the generally accepted method for companies to become comfortable with their service providers’ controls and, in turn, have become an essential compliance monitoring tool.Unlike the SAS 70 standard, which focused heavily on financial reporting controls, the scope of the newly released SSAE 16 extends beyond financial control issues and includes other types of controls, such as those related to compliance and operations (for example, IT security policy and procedures).Additionally, the SSAE 16 standard requires a service organization’s management to provide a description of the overall “system” that maintains the service organization’s controls as well as a written assertion of the suitability of the system’s design.In contrast, the SAS 70 standard merely provides a description of a service organization’s controls without comment on the system, as a whole, that maintains those controls.As with the SAS 70 standard, two types of SSAE 16 reports can be issued.In a Type I report, the auditor expresses an opinion on whether the controls that the service organization claims to use actually exist and whether they were suitability designed.In a Type II report, the auditor also includes an opinion on whether those controls were not only suitably designed but that they were operating effectively. A Type II report also includes a description of the auditor’s tests of operating effectiveness and the results of those tests, which is intended to permit a better determination of how the results of those tests might affect the service recipient’s operations.Just as with SAS 70, SSAE 16 audits still have a primary focus of reporting on a service provider’s controls as they relate to the recipient company’s financial reporting. That is not to say, however, that the SSAE 16 report should be reserved for purely financial-type services.Various IT-related services, such as software as a service and cloud providers, affect a company’s controls relevant to its financial reporting systems, both directly and indirectly. As a result, annual SSAE 16 audits will likely remain an essential tool for companies to monitor and assess the risks associated with a service provider’s offerings.These reports, however, should not be the sole evaluation of whether proper controls are in place. Prudent companies will want to consider reserving the right to perform their own audits and test a service provider’s controls (and, for IT-related services, perform a vulnerability scan) in order to supplement the assurances of an SSAE 16 report and to confirm for themselves that the service provider’s controls are appropriate for the company’s needs.Andrew Share, an associate in Nixon Peabody LLP’s Global Business & Transactions practice in Manchester, can be reached at 603-628-4053 or ashare@nixonpeabody.com.