Common Assurance Standards
SSAE 16: SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard is aimed at bringing companies in the US, up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from SAS 70 to SSAE 16 will help companies in the US compete at an international level. Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations. SSAE 16 was formally issued in April 2010 and became effective on June 15, 2011. If a Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), the Company will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded. Some example industries include:
- Payroll Processing
- Loan Servicing
- Data Center/Co-Location/Network Monitoring Services
- Software as a Service (SaaS)
- Medical Claims Processors
ISAE 3402: International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization, was issued in December 2009 by the International Auditing and Assurance Standards Board (IAASB), which is part of the International Federation of Accountants (IFAC). ISAE 3402 was developed to provide an international assurance standard for allowing public accountants to issue a report for use by user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization’s system of internal control over financial reporting.
Type I and Type II SOC Reports: SOC stands for Service Organization Controls. One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor’s Report. There are two types of Service Auditor’s Reports: Type I and Type II. A Type I report describes the service organization’s description of controls at a specific point in time (e.g. June 30, 2012). A Type II report not only includes the service organization’s description of controls, but also includes detailed testing of the service organization’s controls over a minimum six month period (e.g. January 1, 2012 to June 30, 2012). The contents of each type of report is described in the following table:
In a Type I report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization’s description of its system fairly presents the service organization’s system that was designed and implemented as of a specific date; and (2) whether the controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives – also as of a specified date. In a Type II report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization’s description of its system fairly presents the service organization’s system that was designed and implemented throughout the specified period; (2) whether the controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed throughout the specified period to achieve those control objectives; and (3) whether the controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives.
SOC 1 Report: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of comply with laws and regulations such as the Sarbanes-Oxley Act and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements.
SOC 2 Report: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy These reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. These reports are performed using the AICPA Guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of stakeholders:
- Oversight of the organization
- Vendor management program
- Internal corporate governance and risk management processes
- Regulatory oversight
http://www.ssae-16.com/ http://isae3402.com/ISAE3402_overview.html http://isae3402.com/ISAE3402_reports.html http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC1Report.aspx http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC2Report.aspx
ISAE (International Standard On Assurance Engagements) 3402 is an assurance standard. It is a standard for documenting that a service organisation has adequate internal controls.
Like SAS 70 and SSAE 16, ISAE 3402 prescribes Service Organization Control reports, which help give assurance to the organisation’s customers and service users, who may have their own assurance needs. There are two kinds of SOC reports:
Type I: Documenting a “snapshot” of the organisation’s controls
Type II: Documenting over a period of time (typically 6 months) showing controls have been managed over time.
ISAE 3402 was developed by the International Auditing and Assurance Standards Board, but it is also supported by the IAASB (International Auditing And Assurance Standards Board) and IFAC (International Federation of Accountants). It supersedes SAS 70, and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls.
The full title for AAF 01/06 is “Assurance reports on internal controls of service organisations made available for third parties – Technical Release AAF 01/06”. It was setup out by the Institute of Chartered Accountants in England and Wales (ICAEW). It was the first Audit and Assurance Faculty (AAF) technical release published in 2006 – hence the name “AAF 01/06”. It was produced to provide comfort, via assurance reporting, over the design, implementation and operating effectiveness of controls.
The AAF 01/06 is also used in conjunction with the IAASB’s ISAE3402 “Assurance Reports on Controls at a Service Organization”. Services covered in the AAF 01/06 are Custody, Investment management, Pension administration, Property management, Fund accounting, Transfer agency, Information technology (also ITF 01/07), Private equity, Investment administration, Hedge fund management and the UK Stewardship Code.
GUIDANCE STATEMENT GS 007 – Audit Implications of the Use of Service Organisations for Investment Management Services
Issued by the Auditing and Assurance Standards Board (AUASB) of Australia. This Guidance Statement applies to: (a) auditors (user auditors) of entities which use service organisations to provide investment management services; and (b) auditors (service auditors) of those service organisations, who provide audit and assurance reports which may be used as audit evidence in the audit of the user entity’s financial report.