Service organizations and internal controls  
By Kirk Balcom, CIA CISA

Service organizations that process financial information or information used in financial statements are required to report on the effectiveness of the internal controls used to collect that information.  That information is communicated through a Service Auditor’s Report.  Since April 1992, these reports have followed the Statement on Auditing Standards No. 70 (SAS 70), established by the American Institute of Certified Public Accountants (AICPA).   Beginning June 15, 2011, these standards will be replaced by Statements on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization.  How have the standards changed and more importantly, how does it affect your organization?  Let’s take a look.

Service auditor’s reports

There are two types of reports: Type I and Type II.  A SAS 70 Type I report describes a service organization’s controls at a specific point in time and contains the service auditor’s opinion as to whether that description was presented accurately and if the controls were suitably designed to achieve the specified control objectives.  A Type II report includes the same information as a Type I, but additionally includes the service auditor’s opinion on whether the specific controls operated effectively during the period under review (typically six months or one year).  Detailed testing of controls is performed by your service auditor to support the Type II opinion.

Significant changes

The new standard addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.  The new guidance does not apply (although it suggests it may be helpful) to attest engagements of a service organization’s controls that are not relevant to user entities’ internal control over financial reporting; such as compliance with requirements of laws, regulations, rules, contracts, or controls that affect user entities’ production or quality control. 

Key differences between SAS 70 and SSAE 16:

• Under SAS 70, the service auditor’s report does not need to include management’s written assertion of their organization’s controls; SSAE 16 requires management’s written assertion
• Under SAS 70, the service auditor’s report does not need to include management’s criteria for making its assertion; SSAE 16 requires that the criteria accompany the service auditor’s report.  Management must state how it determined the service organization’s system description fairly presents the system that it makes available to user entities, how it determined the service organization’s controls were suitably designed, and for a Type II report, how it determined the service organization’s controls operated effectively throughout the period
• The service auditor’s report may use the inclusive method where one or more relevant subservice organizations’ control objectives and related controls are included in the scope of the service auditor’s engagement.  Under SAS 70, the service auditor’s report does not need to include a subservice organization’s management written assertion if the inclusive method was used; while under SSAE 16 it must be included. If the subservice organization does not provide a management assertion, then the inclusive method cannot be used
• Under SAS 70 and for Type II reports, the opinion on fair presentation of the system and suitability of the design of controls is as of a point in time such as December 31, 2010; while under SSAE 16 the opinion on the design of controls is for the entire period covered by the report such as January 1, 2010 through December 31, 2010

Under the SAS 70 examination criteria certain items were assumed. SSAE 16 identified these items and made them a requirement:

• Service organizations must identify the risks that would cause control objectives to fail
• Service organizations must further describe the organization’s system and internal controls that relate to the services provided including:
• Classes of transactions processed
• Transaction initiation, authorization, recording, processing and reporting
• Preparation of reports sent to customers
• Changes that occurred during the audit period
• Other aspects of the Committee of Sponsoring Organizations (COSO) internal control framework relevant to the user entities

What needs to be done

If your service organization does not have an existing monitoring and testing program to support the newly required management assertion and if your service organization’s description of the system has omitted the items described above, transitioning from SAS 70 to SSAE 16 can be a challenge.  Your service organization should begin the transition now by completing the following steps:

• Work with a service auditor to understand the changes to SSAE 16
• Determine if you will implement the changes immediately or wait until your first reporting period on or after June 15, 2011
• Determine if your existing monitoring and testing of internal controls supports the management assertion you will be making
• Identify and document the criteria you will be using to make your management assertion
• Identify and document risks that can cause your control objectives to fail If you use the inclusive method of reporting on subservice organizations, determine if the subservice organization will provide a written management assertion
• Identify and fill in the missing components required now to fully communicate the description of your organization’s system

Implementation of the new standards is only months away. Reviewing your existing procedures now and taking the corrective action will make the transition easier. For more information on implementation of the SSAE 16, consult with your trusted business advisor.

Any advice in this communication is not intended or written by  Rehmann to be used, and cannot be used by a client or any other person or entity for the purpose of:(I) avoiding penalties that may be imposed on any taxpayer or;(II) promoting, marketing or recommending to another party any matters addressed herein. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.