Advisory – Cost-Effectively Transitioning to SSAE 16

by Bud Genovese, Managing Director, AuditOne Inc.

Rationale why SSAE 16 replaces SAS 70, effective June 15, 2011

The new rules, entitled Statement on Standards for Attestation Engagements #16 (SSAE 16) replaces the SAS 70, and become effective for reports for periods ending on or after June 15, 2011. With increased globalization of services, the SSAE 16 was issued by the American Institute of Certified Public Accountants to align with the International Standard on Assurance Engagements – ISAE 3402.

Major Changes of Responsibilities from the SAS 70 to the SSAE 16

AuditOne Inc.’s analysis concludes that the major SSAE 16 changes for service providers essentially reduce to:

  1. The service provider needs to perform or obtain a risk assessment that identifies risks that could threaten the achievement of the control
  2. The service provider must develop a written statement of “the description of the provider’s system” that will be included in Section 2 of the SSAE16
  3. The service provider will also provide an “Assertion by Management” to accompany the description.

Type I or Type II for your SSAE 16 Review?

As with the SAS 70, service providers must choose either a SSAE 16 Type I or SSAE 16 Type II Review. Essentially, the Type I review evaluates and details a service organization’s description of its system for processing user entity transactions or information at a specific point in time and opines on the suitability of the design of controls to achieve the related control objectives stated in the description.

The Type II review evaluates and details a service organization’s description of its system for processing user entity transactions or information at a specific point in time and opines on the suitability of the design and the operating effectiveness of controls to achieve the related control objectives stated in the description.

What New Steps Should I Take to Complete the SSAE 16?

There are three main areas to understand and comply with in the transition from the SAS 70 to the SSAE 16 rules: 1) risk assessment; 2) description of system; and 3) assertion statement. AuditOne Inc. can help you with all three, but your understanding of these new standards is essential.

1)  Risk Assessment

Background: SSAE 16 standards require the service provider to support its management assertions by: identifying the risks that threaten the achievement of the control objectives; and, determining whether the controls would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives from being achieved.

These risks do not need to be described in the service organization’s description of the system, but must be identified as part of the due diligence to make the assertions now required by the service provider in the report.

Action Step: Service providers should have a process to periodically (at least annually or when major changes take place) identify and assess risks that may threaten the achievement of the control objectives. This risk assessment process can be performed in-house or by a qualified consultant or audit provider.

2)  Management’s Description of System

Background: Management’s description of the services provided, including classes of transactions processed, should include a summary level of detail to permit the user to understand the nature of the services. For service organizations that process transactions for user entities, a description of the classes of transactions processed should provide the information necessary to identify a user entity’s significant accounts to which the transactions are posted. The description of the services provided should provide the information necessary to identify the significant user entity processes that are affected by the services (e.g., payroll expenses, cash disbursements, accounts payable and payroll tax reporting for the payroll function). For service organizations that provide an information systems platform, the description should include the services that the user entities are likely to find significant.

Description should also include, as applicable, the procedures by which services are provided, including transaction initiation, authorization, recording, processing and correction. The description of the system should convey a concise, summary level understanding of the flow of transactions or activities from start to finish, as well as the processes by which information errors are corrected.

Description of the system also must include the identification of other types of activity that affect the processing of transactions and services, such as information technology general controls.

Description of the system should include a description of the process used to prepare reports and provide information that user entity management relies on to run the business.

Action Step: If you’ve performed a SAS 70 in the past, review prior descriptions of systems and processes to update this text to meet the new SSAE 16 “description of system” requirements as noted in above background. If this is your first such review, use the above background to help meet the new SSAE 16 “description of system” requirements.

3)  Management’s Written Assertion

Background: Another major difference between a SAS 70 report and a report prepared under the new SSAE 16 standard is management’s written assertion. This assertion can be included in the system description report section, but must be on the service organization’s letterhead and signed by a member of management.

The assertion communicates the service organization management’s responsibility for the description of the system, including, as applicable, that the description of the system:

  • presents how the system was designed to process relevant transactions
  • classes of transactions processed
  • procedures, both manual and automated, by which transactions are authorized, processed, corrected (as needed), and transferred to reports presented users of the system,
  • process used to prepare reports for users
  • specified control objectives and controls designed to achieve those objectives,
  • risk assessment process
  • other control activities part of the internal control environment, including monitoring controls relevant to processing and reporting transactions to users
  • does not omit or distort information relevant to scope of the system
  • discloses relevant details of changes to the system during the period covered
  • controls related to the controls objectives stated in the description were suitably designed and operating effectively throughout the period to achieve control objective, and the criteria made to make this assertion is that risks to control objectives have been identified, that controls noted in the description provide reasonable assurance that risks would not prevent the control objectives from being achieved, and that controls were consistently applied as designed, including manual controls.

Action Step: On your service organization’s letterhead, prepare a letter signed by management that includes, as applicable, the points noted in the above background. This assertion letter will be incorporated into the SSAE 16 report as a complementary part of the description of the system.