Product Image

Reporting on Controls at a Service Organization - SSAE No. 16

Publisher: AICPA
Availability: In Stock
See Below To Add To Cart
View Online Catalog
Divider
Print This Page
Divider
Available Formats:  Paperback | See All

Background

Many entities outsource business tasks or functions to other entities. In Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, the entity that outsources a task or function is known as a user entity, and the entity that performs a service for user entities is known as a service organization. An example of a service organization is an investment adviser that invests assets for user entities, maintains the accountability for those assets, and provides statements to user entities that contain information that is incorporated in the user entities’ financial statements, for example, the fair value of exchange traded securities, or dividend and interest income. Another example of a service organization is a data center that provides applications and technology that enable user entities to process financial transactions.

In SSAE No. 16, an auditor who audits the financial statements of a user entity is known as a user auditor. In auditing a user entity’s financial statements, the user auditor needs to obtain evidence to support assertions in the user entity’s financial statements that are affected by information provided by the service organization. In some cases, the user entity is able to implement controls at the user entity over the service performed by the service organization. In other cases, the user entity relies on the service organization to initiate, execute, and record the transactions. In the latter case it may be necessary for a user auditor to obtain information about the effectiveness of controls at the service organization that affect the quality of the information provided to user entities. The user auditor could visit the service organization and test the service organization’s controls that are relevant to the user entity’s internal control over financial reporting . However, because many entities use the service organization, a number of user auditors may visit the service organization, require the assistance of service organization personnel, and disrupt the business of the service organization.

Another alternative is for the service organization to (1) prepare a description of the service organization’s system, including the control objectives and related controls that are likely to be relevant to user entities’ internal control over financial reporting, and (2) engage a service auditor to report on the fairness of the presentation of the description, the suitability of the design of the controls, and in certain engagements, the operating effectiveness of the controls. That report, including the description of the system, can be used by all the user auditors to obtain information about the controls at the service organization that are relevant to the user entities’ internal control over financial reporting.

Two Types of Engagements

SSAE No. 16 contains the requirements and guidance for a service auditor reporting on a service organization’s controls. It enables a service auditor to perform two types of engagements:

  • A type 2 engagement in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
  • A type 1 engagement in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Requirements and Guidance for Service Auditors Moved to SSAEs

Prior to the issuance of SSAE No. 16, the requirements and guidance for service auditors and user auditors was included in SAS No. 70, Service Organizations (AU section324).  The AICPA’s Auditing Standards Board, as part of its project to converge audit, attest, and quality control standards with those of the International Auditing and Assurance Standards Board (IAASB), decided that the guidance for service auditors in AU section 324 of Statements on Auditing Standards should be moved to the SSAEs, and the guidance for user auditors should be retained in AU section 324.

SSAE No. 16 is based on the IAASB’s International Standard on Assurance Engagements No. 3402, Assurance Reports on Controls at a Service Organization.  At the end of April 2010, the ASB will issue a new SAS for user auditors Audit Considerations Relating to an Entity Using a Service Organization that is based on the IAASB’s International Standard on Auditing 402, which bears the same title as the proposed SAS.  When the new SAS becomes effective, it will replace the guidance for user auditors currently in AU section 324. The effective date of the proposed SAS is for audits of financial statements for periods beginning on or after December 15, 2010.

Changes Introduced by SSAE No. 16

The following are some changes in the requirements for a service auditor’s engagement introduced by SSAE No. 16:

  • The service auditor is required to obtain a written assertion from management of the service organization about the subject matter of the engagement.  For example, for a type 2 engagement, the service auditor would obtain a written assertion by management about whether in all material respects, and based on suitable criteria

    • Management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented throughout the specified period,
    • The controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed throughout the specified period to achieve those control objectives, and
    • The controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives.
  • Suitable criteria are used to measure, present, and evaluate the subject matter. Paragraphs 14–16 of SSAE No. 16 provide suitable criteria for the fairness of the presentation of a service organization’s description of its system and the suitability of the design and operating effectiveness of its controls.
  • The service auditor may not use evidence obtained in prior engagements about the satisfactory operation of controls in prior periods to  provide a basis for a reduction in testing, even if it is supplemented with evidence obtained during the current period.
  • The service auditor’s examination report must contain the report elements identified in paragraph .85 of AT Section 101. (These report elements are tailored to a service auditor’s engagement in paragraphs .52 and .53 of SSAE No. 16.)
Paperback 2010
Product# 023035
Availability: In Stock
*Discounted price reflected in Shopping Cart
Regular:$23.75
AICPA Member:$19.00
Your Price:$23.75
To receive your AICPA member discount, Sign In now, or Register using your AICPA membership number.