On June 15, 2011, the American Institute of Certified Public Accountants’ (AICPA) SSAE 16 effectively replaced the SAS 70 reporting standard for US service organizations to test their internal controls. Accordingly, companies that are evaluating an audit period ending on or after June 15, 2011 should consider whether a SSAE 16 report, and not a SAS 70, is appropriate.
Previously, SAS 70 reports have been widely utilized by outsourcing service providers (such as those that offer payroll service, software as a service, cloud computing services, and data center and co-location services) in order to demonstrate to their customers that proper business controls are in place. Additionally, since 2002 the Sarbanes-Oxley Act has required public companies to evaluate and certify their internal controls that are relevant to financial reporting, whether those controls are resident in-house or are maintained by an outsourced service organization. SAS 70 Type II, and now SSAE 16, reports have emerged as the accepted method for certifying a service organization’s controls and thus have become an essential compliance monitoring tool.
Unlike the SAS 70, which focused heavily on financial reporting controls, the SSAE 16’s scope extends beyond financial control issues and includes other types of controls, such as those related to compliance and operations such as IT security policy and procedures. Additionally, the SSAE 16 standard requires the service organization’s management to now provide a description of the overall “system” that maintains the service organization’s controls as well as a written assertion of the suitability of the system’s design. In contrast, the SAS 70 standard merely provides a description of a service organization’s controls without comment on the system, as a whole, that maintains those controls.
As with the SAS 70 standard, two types of SSAE 16 reports can be issued. In a type 1 report, the auditor expresses an opinion on whether the controls that the service organization claims to use actually exist and whether they were suitability designed. In a type 2 report, however, the auditor will also include an opinion on whether those controls were not only suitably designed but that they were operating effectively. A type 2 report also includes a description of the auditor’s tests of operating effectiveness and the results of those tests, which is intended to permit a better determination of how the results of those tests might affect the service recipient’s operations.
Finally, with the SSAE 16 standard, AICPA has developed a reporting standard intended to better align with international reporting standards. As a result, a global standard is now available for U.S. companies that have an international presence.