SAS 70, Dead at 18

Bewildered auditors left behind. How does this affect you and your firm?

October 7, 2010
by Sukanya Mitra

The accounting and finance world was stunned by the sudden death of SAS 70 at 18 years young, but this change had to take place because of the impending convergence to IFRS.

Bad Practices to Avoid

Statement on Auditing Standards No. 70 (SAS 70) was created in 1992 to provide guidance on the factors independent auditors should look at when auditing the financial statements of an entity that uses a service organization to process certain transactions. In addition, SAS 70 provides guidance for independent auditors who issue reports on the processing of transactions by a service organization for use by other auditors.

SSAE No. 16, Reporting on Controls at a Service Organization was created as a result of the Accounting Standard Board’s (ASB) project to clarify its standards and converge them with International Auditing and Assurance Standards Board’s (IAASB) standards. SSAE No. 16 was also created as a result of the Accounting Standard Board’s (ASB) project to clarify its standards and converge them with International Auditing and Assurance Standards Board’s (IAASB) standards. The IAASB’s standard for service auditors is part of its assurance standards and thus the guidance for service auditors was moved there.

For example, if your firm is an accounting firm that outsources payroll to ADP, Paychex or other payroll service firm, then the outsourced firm conducting your payroll services will be considered a “service organization,” while your firm is the “user entity.” SSAE 16 is applicable when an entity outsources a business task or function to another entity [that specializes in that function or task] and the data resulting from that function is incorporated in the outsourcer’s financial statements.

SSAE 16 allows CPAs to provide two types of service auditor’s reports:

1.  Type 1 Report. This allows the service auditor to provide an opinion on whether a description is accurately presented and whether it describes what exists accurately; and

2.  Type 2 Report. In addition to what is reported in Type 1, this report also allows the service auditor to note whether or not the controls that are in place are operating effectively.

Many cloud providers have previously noted that they are SAS 70-certified to emphasize authority of sorts. A popular misconception about SAS 70 is that a service organization becomes ‘certified’ as SAS 70-compliant after undergoing a Type 1 or Type 2 service auditor’s engagement. There is no such thing as being SAS 70 certified and there will be no such thing as being SSAE 16 certified. An SSAE 16 report (as with a SAS 70 report) is primarily an auditor to auditor communication, the purpose of which is to provide user auditors with information about controls at a service organization that are relevant to the user entities’ financial statements.

Due to the increasing demands of CPAs reporting on nonfinancial reporting controls implemented by cloud service providers, a special task force of the Assurance Services Executive Committee is writing a new guide addressing such engagements, which are performed under AT Section 101.

SSAE 16 is effective for service auditor’s reports for the periods ending on or after June 15, 2011, with earlier implementation permitted. This is the same effective date as the effective date of the IAASB’s standard for service auditors.

Auditors should note that during the interim period in which SSAE 16 becomes effective, but before the new clarified SAS for user auditors becomes effective, the current guidance for service auditors (AU Section 324) will not be deleted. During this time a notation has already been placed in Professional Standards at the beginning of AU Section 324 informing readers that SSAE 16 has superseded the guidance for service auditors.

AICPA is revamping and rewriting its service organizations (SAS 70) guide to reflect the requirements and guidance in SSAE 16.

Affect on Service Auditor’s Engagement

There have been two key issues because of SSAE 16:

  1. Service organization management is required to provide service auditors with a written assertion about the fairness of the presentation of the description of the system in addition to the suitability of the design. For Type 2 reports, the service organization must also provide the operating effectiveness of the controls.
  2. In Type 2 engagements, the description of the service organization’s system must match the auditor’s opinion on the description during a set period, which is the same period in which the service auditor ran tests of the effectiveness of operating controls. This is different from SAS 70, in which the description of the service organization’s system in a Type 2 report was as of a particular date and not a based on a period.
Additional Resources Reporting on Controls at a Service Organization — SSAE No. 16

Statement on Auditing Standards (PDF)


Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Sukanya Mitra is managing editor of the AICPA Insider™ e-newsletter group.