-
8/13/2019 SSAE 16 Article JoA
1/5
SAS 70New standards for engagements,lrnvolving
outsourcingbyJudith M. Sherinsky CpA
uidance for cPAs who audit the financial statements ofbeing
revamped and relocated.Since 1992, Sratemenr on Auditing Standards
(SAS) no. T0, Sen_ice Organizations, has been the source of the
requirements andguidance for CPAs reporting on controls at se*icl
organiationsand for CPfu auditing the financial statements of
entities that useservice organizarions to accomplish tasks that may
affect their fi_nancial sratemenrs. SAS no. 70 has been dMded and
replacedby two new standards. One is a Statement on Standards for
At_testation Engagements (SSAE) also known as an attestatron
stan_dard, the other is a SAS (an auditing standard). The
requirementsfor reporting on controls at seMce organizations has
been placedinSSAE no. 16, Repornng on Controls at a Service
Organi2ation (seeOfficial Releases, page82). The requirements for
auditine the fi-
AUDIT & ATTEST SERVICES
Replacinsr ----o
entities that outsource work to service organizations andthose
who report on controls at service organizations is
nancial statements of entitiesthat use service
organizationsremains in the auditing standardsin a new SAS, Audit
ConsiderationsRelating to qn Entity lJsing a Sewice
Or-gawzanon.
Moving the requirements for CpAs reporting oncontrols at service
organizations to the attestation standards bet_ter rellecb the
nature of the work being performed. SASs primarilyprovide guidance
on reporting on an audit of financial statements,whereas the SSAEs
primarily provide guidance on reporting onother subject matter. In
a service auditor's engagement, a CpA32 Journal ofAccounrancy
August2Ol0 wwwjourna lofacco untancy.com
-
8/13/2019 SSAE 16 Article JoA
2/5
elBuoe
Eno?Bsuu-u&n -4uaulaaeaou&aadna-Tuso 'aB
tEtBauo
'qsaPaaupaaauauuPpaaeu'pJuJp-JssaoaeaaEsuoqeeeouonsJEao(pluuuIoeaua-oeau
suuJapnu?aaEunuaIeueu paqoueoaEJ-quJuso
1qanuoe9 'o
EqnusNNAS aH
'SBuaJSuPIEpdnqeLuAu>ana radonaE{ t
9oEe-u-elene"uo taeuosa-uuErpnuuaaseIBnJopo
'suBlEauaur3eqses-IEppSEJeqBBrEaAE
rqa?mad-sqe sEpea-?dupnu -
su qBJuEIEqe
aads-ElEn-e4 pusaq-a-$enlqu u
NaS'unM
1ou-Zo suuIEE -uspar-B3unass
9oa ppple a
J --oBa 'suE-ean -
. lu(sSpasuuPIEeJpoou pEJUEU'SluololEuuuaaeouu-au-p
vu'$d-a
sSsvo
-
8/13/2019 SSAE 16 Article JoA
3/5
AUDIT & ATTEST SERVICESfrom rhe user enriry before
iniriating each transaction because rhe I its conrrols.
Theoretically this approach shou]d work; however,broker-dealer has
been auLhorizeJby the user entity to initiate I
whenmanybusinessesoutsourceloaserviceprovider,theremayrransac.ons.
I also be many user auditors requesting to visit the service
organ-
The broker-dealer usually provides rhe user enrlry wirh rrade I
ization and taik Lo its personnel, all o[ which disrupls the
serv-conlirmations as well as perioclic statements to inlorm the
user I ice organization's business.entityof
therransactionsthathaveoccurred,irsholdingsaraspec- | to avoid this
problem, a service organlzatlon may engage
aified c1ate, their vaiue and rhe earnings on the investmenrs.
In I cle ,o repori on controls at the service organizalion that
affectrhar siruarion, all of tl-re I the inlormation pro-
-informaiion provided ,r-a & '* ,1 r- u - r ,-r r A A {.a}},
vided to user entitiesrotheuserenritycomes SSAE mil. lfj ls bas*:rJ
*n Lht TA;\$*i andincludedintheirri-from the broker-dea]er,ancl the
user audiror ;issrtr*]-lce sl.aru*"iarrJ {cr se rvicr aNndj['{)rs,
liln'#;;:::Xil:may neect Lo obrain in- {5A [-j i]Ll.:]4il2 ommonlv
known as a- - ---l sttt,ice audilot s cngcige-formation about Lhe
e[-fecri'eness of rhe I ment,ar'd the cPA per-broker-dealer,s
conrrols rhat affect the quality and reliabiliry of I forming such
an engagemenl is known as a service auditor 'the inlorrnation
provicled to the user entities. I Service organizations that
undergo such an engagement gen-Even though such controls are
located and operatrng at the I eralJy provide copies of lhe service
audilor's report to their userservice organization, the;,are
relevant ro rh. ur., enrityl inter- | entities. ancl the user
entities provide them to their user audi-,-ra1 co't.ol o'er
financial reporLing because they are designed ro I totr. The report
enables user auditors to obtain evidence aboulprevenr, or derect
ancl correcr, errors in the informaLion provid- | the qualrty and
accuracy o[ the information provided to the userecl Lo user
enliries. I[ controls ar the broker-dealer are operaring I
entiries. SSAE no. 16 contains the requirements and guidance
foreffecrivell,, errors in rhe data provicled to the user enriries
*ilI b; I a CPA reporting on a service organtzatlon's controls that
are rel-pre'entecl, or detected and corrected, and misstaremenrs rn
the I evant to user entities' internai control over financial
reporting.user entities, linancial statemenLs will be avoided. I t"
a service auditor's engagement, managemenl o[ lhe serv-ice
organization must provide a description of lhe service orga-Howro
O3TAIN INFonLtRrloN ABour A I nization's sysrem thar includes,
among other things, lhe nalureSnRvtCE ORCRNzRTIONS CSNTROLS I of
Lhe service provlded ro user entities, how the service is per-one
approach a user auditor may take to obtain information I forrrred,
the service organization's conlrols over the sen'ice,
andubout.or-rtrols aL a service organization Lhat affect the data
pro- | Lhe related conlrol objectives.vided to user entities is to
visit the service organization and tesr I SSaE no. 16 enables a
service auditor to issue two types o[t1
*"'-1li
* As part of the AuditingStandards Board's efforts toconverge
U.S. and internationalstandards, SAS no. 70 is beingdivided into
parts and rePlacedby two new standards. Thechanges also place the
stan-dards in areas that better reflectthe nature of the sub.iect
matterand the work performed.t SSAE no.16,RePorting onControls at a
Seruice Organiza-flon, is based on InternationalStandard on
Assurance Engage-ments no. 3402, Assurance Re-ports on Controls at
a ServiceOrganization.lt is effective forreports for periods ending
on orafter June 15, 201 1. Earlier
f; ;q fi fr:,1T"fr v fiimplementation is permitted.* One new
requirement inSSAE no. 'l 6 is for the serviceauditor to obtain a
written as-sertion from the service organi-zation's management
about thefairness of the presentation ofthe description of its
system andabout the suitability of the designand, in a type 2
engagement, theoperating effectiveness of thecontrols.n In May, the
ASB finalized anew SAS for user auditors,Audit Consicierations
Relating toan Entity Using a Service Organ'ization, that is based
on theIAASB's International Standardon Auditing no. 4O2.lt
expands
"$ tJ F;t ltl Sr" ff Yon how an auditor audits thefinancial
statements of an entitYthat outsources tasks that affectits
financial statements to enablethe auditor to fulfill two
require-menis of the risk assessmentstandards: obtaining an
under-standing of the entitY, includingits internal control
relevant to theaudit, sufficient to identifY andassess the risks of
material mis-statement, and designing andperforming further audit
Proce-dures responsive to those risks' Requirements for
CPAsexamining and issuing rePortson controls over subject
matterother than financial rePortingare housed in AT section 1
01,
Attest Engagements, of the aites-tation standards, not underSSAE
no. 1 6 (nor under SAS no,70). The AICPA is develoPing anew guide
that addresses rePort-ing on a service provider's con-trols over
sub.lect matter otherthan financial reporting.Judith M. Sherinsky
([email protected]) is a technical manager,audit and attest
standards, for theAICPA.Tb aomment cn iiis arlicie or losuggesi an
idea {tsr anatherarticle, conlact Kim lVrlsen, JofAeditorial
dirnctot, at knilsefitg)aicpa.org ar I | 9-442'4048.
34 Journal of Accountancy August 2010
www.journalofaccountancy.com
-
8/13/2019 SSAE 16 Article JoA
4/5
gul?no^uoe
aalutupotpA1ug1 -pt-osaI9 SOC
.O'JrEaIEUP rSJu-lEEq$a-patEep-aoeS1Su{;unIopaqoaPiEpop.opS
sasH( 'oaE7op
-oa1ulVa auopa
'paEa1so11aa0S 'o
JJopa-oun pau7u '>rqueplea do
JoJJ-p
p-qd8-oa so
JBrqopua
:9oE -Jouun o
1da-a
IsoaJ-7p1pa1-Je3-ueq
raIS SNONSEXXAdn
sJnuaaoplaJnJo1e7lo aaoaaoue Teauae1 -
Iuaqqqtopl-oaeeB rsa-oQ
'qaurnqp
-IEa9aoa 'sorue-opA s09VJ
'uEaEAEuoanuu
uBuaElEouS-SIEX
seAeosBuau -aBou
PEqopaJnpa doJ
1use-.-pIVslaoapuEoun
uueoppueu-0.OA
Ju'Sr,oatEs2unondN
Tli8
3p-a--
svo
-
8/13/2019 SSAE 16 Article JoA
5/5
AUDIT & ATTEST SERVICES
aspecl.s of ncw ISAE uo.
vicle user entlties wirh on-demand network access to a shered I
fo1- more information or to make a purchase, go to cpa2biz'com
or
F:i.i:1i
bothrhenewsASanclsSAEno. l6rakeeffect.Thatclecisionwas
larcperformeclunclerATseclionlol.ThatguicleisexpectedLomacie
because the guiciance lor sen,ice auclitor s and for user 3u- | be
available in early 201 I 'clitors in AU seclion 324 is so
intertwrned that, il Lhe guidancc | --for service auclirors were
cle1erec1, the gr,riclance fot uscr ruclitors I I
naxsrloNlNcrvoulcl no longer be meaningful. I Mosr scruice
auchtor-s believe thaL nerv SSAE no. 16 and the re-Until the new
SAS takes "ef[ect, user auclir6rs s]rould use rhe I hr.d uret
audiror SAS wili not significantly change practice UPguiclance
curre nrly in AU secrion 324. A notarion will be pteced I unril rhc
issuance of ISAE no 3402, the internalional auditing^ | and
assurance stanclarcls -al lllc Dcglnnlngol AU I containccl rn l:A
lorSCLtlOll Jl.z+ llllornllng i { i r. lreacters rhat rhe guicl-
$A$ il*"7i) {s il,ti ,rf }illir.tl:i*,:i* erxe*:inai"ft-rn:* user
audrtors but ctrclanceforse^,rceauditors { , tr i " -i 'l
nolcontainastanclalclhasbeensupersededby *.f
C*nlI*iS*lrt*"S*L;jeCLfilAlI{11"i:i iri'trIIt;ull
forser'icea'clitorspet-SSAI no L6 Thc ner,r i i '' i t ir 35,\ l,:
lul, l{'1. lo.rningaserviceatttli-sAS does nor conraln liltnnciai
,[lfilolitllf,J ]ll jlt-iii']q'lt i$ JJ1.-\f': nj{-}' jlt'"
ror,sengage'-renr.Many
,r"J.l, il't*t;; iu.l | *itt-r ttre exisring se^,rce
organization sta'dards become famil-iar with the geography o[ lhe
new standarcls (user auditor guid-Howro REponr oN C9NTROLS OVER I
ance it'r rhe sASs, service auclltor c"l,i^1n.: in the ssAEs), it
si;Ai*ilC;ER THaN FtNRxcrnL REpoRTINc I tito.ty thaL rhe
rrans:ition will not be clifficult. *In Lhe past, many CPAs used
SAS no. 70 to reporL on controls u I-
aserr'iceorganizationtha|aIeunre1atedtouSeIen|i|ies'interna1|control
ovei financial reporting, lor example, conrtols ovcr thc I nlCpA
RESOURCES
any signrficant changes | , ^for user audirors. when rhe ner.v
SAS becomes eflccrive, iL rvill l 3402 are basecl on SAS no._ zo
a.s w1ll.11:lt ]tt),lt detailed im-replace rhe gulcLance ior user
auclitors curr-enr1y in AU scctio. I plernenraLio'guidance in the
related AICPAAudit
Guide,Serv-321.(Theguiclanceforser'iceauclitolswillbeintheattestation
liccorganizatutns,ApplyngSAt*','.9__oi::::i:"-3::jtliT'
privacy o[ cuslomers' informatlon. I-lowever, SAS no 70 is noL I
" .applicable lo examinalions of controls over subjecl nraltcl
other | 1:n:":* urehcasI z | "SnS 70 the Next Generation: Planning
for the New Servicerhan financial reporring, and nelthet rs SSAE no
16- . I O'.1L0","" Standards,, (#7*o22s)There is incre asing demand
for reports on controls over sut]- |ject matter other lhan
financial reporting. For example , many user I weus;tesentiLies are
required by law or regulation to maintain the priva- | neaa " :"Tu?
"t ":1t ","^ t:-1^11Y:i:Tl:3r:::"X1";il;;;#;y collect from
cusromers, inclucling the I frequentlv asked questions document at
tinvurl'com/36mxc23privacy of that information when it is at a
service organlzaLlon. I pubiicationsTo address these requiremenls.
management o[ the user enlity I r fo help CPAs make the transition
f rom SAS no. 70 to SSAE no.may ask the service olganization for a
CPAs report on the effec- I , u, a task force of the ASB is
revising the existing Audit Guideliveness of its controls over the
privacy of the inlormation iL l ""'I'9: Organ.ization.s: Applying
SASN3'-toli:,11":',:1fh^"SAS 70 guide) to rellect the requirements
and guidance in SSAEprocesses for user entitles. I ::: . -r- | no.
ro.Therevised guideisexpectedtobeavailableforsaleinIf a CPA is
engaged to examine and issue a report on.controis | ""n, ,0.,
.,over subject matier other Lhan financial reporting. such an en- I
I The Audit Guide Reporfrn g on Controls at a Service
Organiza-gagement should be performecl under AT section 101,
Atte.st En- | tion Relevant to Security, Avaitability, Processing
lntegrity, Confi-ialgements,o[ the attestation standards, but not
uncler SSAE no. I den:ial, ty, or Privacy will address reporting on
a service provider's1. / -_.-r^.^c^c _^ 7^\ |
controtsoversubjectmatterotherthanfinancial reporting. ltisslat-16
(nor under SAS no 70). | ":'l'l"l:The increasing use ol cloucl
computing facilities, which pro- | ed for release in early 201
1'poolof computingresources,suchasnetworks,servcrs.storage, I call
thelnstitute atSSE-777-7O77'applications and services, has created
an increased demand tor | ,\*-c.+e.r** *innreporrs by cpAs on
conrrols over subiect matter olher rfln ti I H;::-,-;1",'l?o,
o"rountants and Auditors (#AUAA)nancral reportingat cloud computing
facilities. A special lask lorce Ioping a new guide Reporting on
Conhtis aL ct Service Provicler Rel- | Trainino" then search by
'Acronym Indexl' lf you need assistance'eyant to Sectu.tLy,
Availability,Pioce.ssinq Integrity, Conficlentiality, or I please
contact a training representative at 800-634-6780 (option 1)'of the
AICpA Assurance Services Execullve Committec is devel- | To """"."
courses, go to aicpalearning'org and click on "On-Site
Privacy, that will specifically address such engagements'
which
36 Journal ofAccountancy August 2010 www.jou rna lofaccou nta
ncY.com
