 |
Greg Reda, CPA
SAS 70 / SSAE 16 Expert |
Networking not an event, it is also thought leadership and content. My friend Greg Reda, Aduit Senior Manager at Squar Milner took my advice and developed expertise and then he wrote about it. The white paper below has been published and it also gave Greg an opportunity to sit down with the Partners in his firm and talk about his expertise. A new business segment was born. It worked! Greg is developing a "book of business" and I'm blogging about it.
Congratulations Greg Reda!
SAS70/SSAE 16 Audits Overview and ChangesBy: Gregory Reda – Senior Manager Business Risk Services
Squar Milner, CPAs
Newport Beach, CA
SAS 70 requirements have changed – Are you up to speed with SSAE 16 and ISAE 3402? For nearly 20 years, auditors and service organizations have relied on SAS 70 reports to ensure that companies have proper internal controls in place for financial reporting purposes. This summer, new standards took effect.
The objective of this article is to:
· Provide an introduction to SAS 70/SSAE 16 report audits, their importance, and their intended users
· Educate users of SAS 70/SSAE 16 reports on what to expect and how to use the reports
· Summarize the changes to SAS 70 as it has been superseded by SSAE 16
What is a SAS70/SSAE 16 Report?
A SAS 70/SSAE 16 report is an opinion on specific internal controls and control objectives issued by a CPA firm that affect the financial statements of a user entity. Further, the audit procedures and resulting opinion were performed under a professional framework and set of standards issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). The original standard was created in April 1992.
Purpose of a SAS70/SSAE 16 Report
A SAS 70/SSAE 16 report is designed to help your client’s financial statement auditors assess control risk, plan their audit, and design substantive tests in conjunction with the user’s financial statement audit. The auditor to auditor communication can be used by management as an assessment tool.
The objectives of a SAS 70/SSAE 16 Type I or II Audit are to reasonably assure that:
- A set of controls has been placed in operation as of a specified point in time.
- The description of those controls is fairly represented by management.
- Those controls are suitably designed to achieve the control objectives specified by management.
- Tests applied to specific controls identified by management demonstrate operating effectiveness of the controls for a period of time (Type 2 only).
Interrelationships Among Organizations SAS 70/SSAE 16 - A Summary
Businesses outsource to service organizations on a more frequent basis these days. This can impact the business operations and financial statements. SAS 70/SSAE 16 audits are an independent examination of the internal controls of the service organization. A SAS 70/SSAE 16 effectively serves as a regular due diligence of performance.
Value of SAS 70/SSAE 16 Audits
A SAS 70/SSAE 16 audit provides customers independent assurance about the controls in place and satisfy multiple customers through a single audit. They assist in leveraging with new clients and help to differentiate from the competition. These reports also provide independent feedback to management to define and monitor adherence to established operational metrics and identify potential opportunities to strengthen the business practices and operating environment.
Getting Started
A company should determine whether there is sufficient demand for the SAS70/SSAE 16 audit as the first step. Next, assign a SAS70/SSAE 16 lead and commit control owners and understand the process, time and effort involved to define the scope of controls, type of audit and timing. At this point, you should select a service auditor and confirm whether to issue a SOC 1, II or III and Type I or II report. The lead should then determine the impact related to subservice organizations and self-assess readiness of controls and remediate any gaps noted. Finally, the lead should document the control descriptions, control objectives and control activities and then plan, prepare for and participate in the SAS70/SSAE 16 audit.
Tips for Defining Controls
- Leverage existing sources – request for proposal responses, due diligence questionnaires, compliance forms, quality control/internal audit.
- Start with a solid outline and then expand and formalize the controls.
- Review wording and presentation with your service auditor and isolate control activities from the control descriptions.
- Ensure management has a reasonable basis to assert the controls and monitor that they are operating effectively.
Migrating to SSAE 16 – Effective Date is June 15, 2011 Reasons for Change
- Global Implications – need for greater international consistency. International business growth with more companies with multi-national interests as well as increase in outsourcing.
- New Technologies – SAAS, Cloud Computing, Virtualization and Mobile Computing.
- Clarity of Purpose –a common misunderstanding is that a SAS70 report can be used to report on controls related to compliance requirements, such as HIPAA or PCI.
SSAE 16 – The Same
SSAE16 is consistent with a SAS 70 in that it focuses on internal controls at service organizations, emphasis on financial reporting, concept of Type I and Type II reports, the structure of the report, testing methods, how use of subservice organizations is considered, and use and restricted distribution of the report.
SSAE 16 – New Considerations
Selecting the Right Report
Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements? | Yes | SOC 1 Report |
Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation? | Yes | SOC 1 Report |
Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems? | Yes | SOC 2 or 3 Report |
Do you need to make the report generally available or sealed? | Yes | SOC 3 Report |
Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor, and the results of those tests? | Yes
No | SOC 2 Report SOC 3 Report |
If you are unsure of the new requirements or would like additional information on how to comply with the new standards, please reach out to Jeff Boyd and Greg Reda at Squar Milner, 949-872-5130.
