In April 2010, the American Institute of Certified Public Accountants introduced a new attestation standard, the Statement on Standards for Attestation Engagements 16 (SSAE 16).  With an effective date of June 15, 2011, SSAE 16 supersedes the Statement on Auditing Standards No. 70 (SAS 70), which provided guidance regarding the examination of control activities at service organizations.  Although SAS 70 was a globally recognized and accepted standard, there was a need to update and improve this standard so that it aligned with more globally accepted international accounting principles.

As with SAS 70, SSAE 16 outlines the standards to be used by auditors when they examine and report on the control activities of service organizations.  In particular, service organizations must demonstrate that they have the appropriate controls and safeguards in place when they host or process data belonging to their customers.  This provides customers with the assurance that their confidential information is under sound internal control.

Although there are many similarities between SAS 70 and SSAE 16, there are key changes that should be noted.  These changes are outlined below:

Description of the System

Pursuant to SSAE 16, service organizations are now responsible for preparing a description of their “system” (defined to include aspects of the service organization’s control environment, risk assessment process, information and communicating systems (including relevant business processes), control activities and monitoring activities that are relevant to the services provided) rather than simply their “controls”, as was required under SAS 70.  It is largely agreed that this is a more onerous requirement, and service organizations are encouraged to re-examine their prior description(s) of “controls” to ensure compliance with SSAE 16 going forward.

Management Assertion

SSAE 16 also requires that service organizations provide a written assertion by management that: (i) the description fairly presents its “system”; (ii) the control objectives were suitably designed and operating effectively; and (iii) the criteria used for making these assertions were in place and consistently applied.  This written assertion may be included in the description of the “system” or attached to the description of the “system” itself. 

Additional Changes

SSAE 16 provides several other relevant changes, including the requirement to describe the use of subservice organizations through either an inclusive or carve-out method of presentation:

  • Carve-Out Method:  The service organization must include, in the description of the “system”, the nature of the services performed by any subservice organization, excluding the subservice organization’s control objectives and related controls; however, the controls in place for monitoring the effectiveness of the controls at the subservice organization should be set out.  
  • Inclusive Method:  The service organization must include, in the description of the “system”, the services performed by the actual subservice organization, along with the relevant control objectives and related controls of the subservice organization.

In addition, the service organization must formally identify risks that threaten the achievement of the control objectives in the description of the system, and if it uses the work of internal auditor(s) to examine its controls, the objectivity and competency of the internal auditor must be evaluated, and the work must be supervised and reviewed by independent service auditors.

The Canadian Perspective

In response to the introduction of SSAE 16, and its international equivalent (ISAE 3402), the Auditing and Assurance Standards Board has issued a new Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization (CSAE 3416), which replaces the Auditor’s Report on Controls at a Service Organization, Section 5970 (S 5970). 

CSAE 3416 has been modeled after SSAE 16 and, as a result, is materially aligned with the new standards in the United States; however, it is important to note that an auditor’s report can be tailored to meet the criteria of multiple standards.

CSAE 3416 will be effective December 15, 2011.   

Conclusion

The introduction of SSAE 16, as well as CSAE 3416, provides needed changes to the approach to the examination of control activities at service organizations, and allows service organizations to facilitate consistent reporting world-wide.  Going forward, service organizations will need to be aware of the changes to ensure compliance with the new standards.