FREQUENTLY ASKED QUESTIONS
1. Why has the standard changed from SAS 70 to SSAE 16?
SAS 70 is a U.S. standard, and although it has been used for engagements outside the U.S., there was a need to develop an internationally recognized standard. The AICPA, as part of its efforts to converge its U.S. standards with international standards, began drafting a new Statement on Standards for Attestation Engagements (SSAE 16) that would replace SAS 70. The new standards are not aimed at overhauling how an engagement to report on controls at a service organization is performed. Rather, thay have been created to meet the demands of the current market environment and to fit into the modern framework of assurance standards.
SAS 70 is a U.S. standard, and although it has been used for engagements outside the U.S., there was a need to develop an internationally recognized standard. The AICPA, as part of its efforts to converge its U.S. standards with international standards, began drafting a new Statement on Standards for Attestation Engagements (SSAE 16) that would replace SAS 70. The new standards are not aimed at overhauling how an engagement to report on controls at a service organization is performed. Rather, thay have been created to meet the demands of the current market environment and to fit into the modern framework of assurance standards.
2. What is the difference between a SAS 70 & SSAE 16?
The most evident change to SAS 70 is the requirement that management of the service organization provide a written assertion attesting to the following:
- Management's description of the service organization's system fairly presents the service organization's system that was designed and implemented throughout the specified period (or as a specific date for a Type I report),
- The controls related to the control objectives stated in management's description of the service organization's sytem were suitably designed throughout the specified period to achieve those control objectives (or as a specific date for a Type I report), and
- The controls related to the control objective stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives.
Several other key changed include:
- SSAE 16 provides suitable criteria for the fairness of the presentation of a service organization's description of its system and the suitability of the design and operating effectiveness of its controls. These criteria will provide user entities of the SSAE 16 report a more thorough overview of the services provided and systems in place.
- The service auditor may not use evidence obtained in prior engagements about the satisfactory operation of controls in prior periods to provide a basis for a reduction in testing, even if it is supplemented with evidence obtained during the current period.
- The service auditor is required to identify in the description of tests of controls any tests of controls performed by internal auditors and the service auditor's procedures with respect to that work.
- Lastly, if the service organization relies on controls at a sub-service organization and management elects to use the inclusive method (that is, management's decription of the service organization's system includes controls at the subservice organization), management will need to determine whether controls at the sub-serivce organization are suitably designed or suitably designed and operating effectively, depending on whether they are executing a Type I or Type II report. In order to make this determination and to support their own assertion, management of the service organization would need to obtain a written assertion from management of the sub-service organization.
The most evident change to SAS 70 is the requirement that management of the service organization provide a written assertion attesting to the following:
- Management's description of the service organization's system fairly presents the service organization's system that was designed and implemented throughout the specified period (or as a specific date for a Type I report),
- The controls related to the control objectives stated in management's description of the service organization's sytem were suitably designed throughout the specified period to achieve those control objectives (or as a specific date for a Type I report), and
- The controls related to the control objective stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives.
Several other key changed include:
- SSAE 16 provides suitable criteria for the fairness of the presentation of a service organization's description of its system and the suitability of the design and operating effectiveness of its controls. These criteria will provide user entities of the SSAE 16 report a more thorough overview of the services provided and systems in place.
- The service auditor may not use evidence obtained in prior engagements about the satisfactory operation of controls in prior periods to provide a basis for a reduction in testing, even if it is supplemented with evidence obtained during the current period.
- The service auditor is required to identify in the description of tests of controls any tests of controls performed by internal auditors and the service auditor's procedures with respect to that work.
- Lastly, if the service organization relies on controls at a sub-service organization and management elects to use the inclusive method (that is, management's decription of the service organization's system includes controls at the subservice organization), management will need to determine whether controls at the sub-serivce organization are suitably designed or suitably designed and operating effectively, depending on whether they are executing a Type I or Type II report. In order to make this determination and to support their own assertion, management of the service organization would need to obtain a written assertion from management of the sub-service organization.
3. How will this new standard affect our organization?
Service organizations should not expect significant changes in the manner in which a service audit is performed under the new effort. Similarly, the level of effort required by the service auditor and the service organization’s internal resources should also be similar. Some service organizations, however, may elect to perform a SOC 2 engagement based on the nature of services provided and the use of the report by its recipients. Please contact us for additional details about SOC 2 engagements.
Service organizations should not expect significant changes in the manner in which a service audit is performed under the new effort. Similarly, the level of effort required by the service auditor and the service organization’s internal resources should also be similar. Some service organizations, however, may elect to perform a SOC 2 engagement based on the nature of services provided and the use of the report by its recipients. Please contact us for additional details about SOC 2 engagements.
4. What is the difference between a SSAE 16 Type I, Type II and Readiness Assessment?
The following outlines the differences between a SSAE 16 Type I, Type II and Readiness Assessment:
The following outlines the differences between a SSAE 16 Type I, Type II and Readiness Assessment:
|
5. How do I know which type of SSAE 16 we need?
A SSAE 16 Readiness Assessment is an efficient method by which we help our clients determine their readiness for a SSAE 16 audit. A Readiness Assessment is often a desirable option for service organizations that have not had a SSAE 16 performed or otherwise have concerns about the preparedness of the organization for a SSAE 16 audit. The result of this audit is a consultative report that includes issues identified relevant to the control environment and corrective knowledge about the service and detailed information about the control environment that will be used to conduct the actual SSAE 16, thereby offsetting some of the time and cost. SSAE 16 Readiness Assessments are generally conducted for organizations with the following characteristics:
- Management has concerns about the preparedness of the organization for a SSAE 16 audit
- A SSAE 16 has never been performed related in significant adverse findings
- A prior audit related to the services resulted in significant adverse findings
- Key personnel responsible for control over the service are no longer with the organization
- There have been significant changes to the processing environment
- The service to be audited was recently integrated as part of an acquisition or merger
- A SSAE 16 was previously performed that was not considered useable by clients or their auditors
A SSAE 16 Type II Report expresses an opinion on a service organization's controls as it related to an audit of the financial statements of its clients, or to specific control objectives relevant to the service organization. The Type II report determines whether controls were in place and operated with sufficient effectiveness to provide reasonable assurance that the control objectives were met during a specific period of time. The Type II report is typically what is expected by a service organization's client auditor as the procedures suffice the work they would otherwise have to perform. SSAE 16 Type II audits are generally conducted for organizations with the following characteristics:
- The service organization provides or intends to provide significant services to public companies or companies who are otherwise audited
- The service organization is contractually obligated to have a Type II SSAE 16 performed
- The service organization strives for operational excellence and seeks an independent method of assessing and conveying this to its clients
Similar to a Type II SSAE 16 Report, the Type I also expresses an opinion on a service organization's control as it relates to an audit of the financial statements of its clients, or to service organization's control objectives relevant to the service organization. However, the Type I goes only so far as to determine whether it was reasonably assured that controls were designed to meet the control objectives and were in place as of a specific point in time. No opinion on whether controls operated effectively over a specific period is provided. In the past, a Type I SAS 70 could be used by the auditors of a service organization's clients to suffice certain procedures that they would otherwise have to conduct. With the Sarbanes-Oxley Act and tighter auditing standards, the use of this type of report is much more limited because it does not provide test of operating effectiveness of controls. However, some service organizations may achieve their SSAE 16 audit objectives when in the following circumstances:
- A SSAE 16 has never been performed related to the service to be audited
- The service organization is conducting a SSAE 16 audit on an elective basis, with no contractual or other client audit requirements
- The service organization is conducting a SSAE 16 audit on behalf of clients whose auditors do not require a Type II SSAE 16
- The service organization strives to set a standard of excellence and seeks an independent method of assessing and conveying this to its clients
A SSAE 16 Readiness Assessment is an efficient method by which we help our clients determine their readiness for a SSAE 16 audit. A Readiness Assessment is often a desirable option for service organizations that have not had a SSAE 16 performed or otherwise have concerns about the preparedness of the organization for a SSAE 16 audit. The result of this audit is a consultative report that includes issues identified relevant to the control environment and corrective knowledge about the service and detailed information about the control environment that will be used to conduct the actual SSAE 16, thereby offsetting some of the time and cost. SSAE 16 Readiness Assessments are generally conducted for organizations with the following characteristics:
- Management has concerns about the preparedness of the organization for a SSAE 16 audit
- A SSAE 16 has never been performed related in significant adverse findings
- A prior audit related to the services resulted in significant adverse findings
- Key personnel responsible for control over the service are no longer with the organization
- There have been significant changes to the processing environment
- The service to be audited was recently integrated as part of an acquisition or merger
- A SSAE 16 was previously performed that was not considered useable by clients or their auditors
A SSAE 16 Type II Report expresses an opinion on a service organization's controls as it related to an audit of the financial statements of its clients, or to specific control objectives relevant to the service organization. The Type II report determines whether controls were in place and operated with sufficient effectiveness to provide reasonable assurance that the control objectives were met during a specific period of time. The Type II report is typically what is expected by a service organization's client auditor as the procedures suffice the work they would otherwise have to perform. SSAE 16 Type II audits are generally conducted for organizations with the following characteristics:
- The service organization provides or intends to provide significant services to public companies or companies who are otherwise audited
- The service organization is contractually obligated to have a Type II SSAE 16 performed
- The service organization strives for operational excellence and seeks an independent method of assessing and conveying this to its clients
Similar to a Type II SSAE 16 Report, the Type I also expresses an opinion on a service organization's control as it relates to an audit of the financial statements of its clients, or to service organization's control objectives relevant to the service organization. However, the Type I goes only so far as to determine whether it was reasonably assured that controls were designed to meet the control objectives and were in place as of a specific point in time. No opinion on whether controls operated effectively over a specific period is provided. In the past, a Type I SAS 70 could be used by the auditors of a service organization's clients to suffice certain procedures that they would otherwise have to conduct. With the Sarbanes-Oxley Act and tighter auditing standards, the use of this type of report is much more limited because it does not provide test of operating effectiveness of controls. However, some service organizations may achieve their SSAE 16 audit objectives when in the following circumstances:
- A SSAE 16 has never been performed related to the service to be audited
- The service organization is conducting a SSAE 16 audit on an elective basis, with no contractual or other client audit requirements
- The service organization is conducting a SSAE 16 audit on behalf of clients whose auditors do not require a Type II SSAE 16
- The service organization strives to set a standard of excellence and seeks an independent method of assessing and conveying this to its clients
6. How often must a SSAE 16 audit be conducted?
A SSAE 16 is typically conducted one to two times per year, depending on the needs of the service organizations' clients. Since a Type II SSAE 16 expresses an opinion on the operating effectiveness of controls over a period of time, it will generally cover a time frame of six months or one year. A Type I SSAE 16 expresses an opinion on the design of internal controls as of a point of time, and will therefore be as of a specific date (rather than for a specific period, as in a Type II).
A SSAE 16 is typically conducted one to two times per year, depending on the needs of the service organizations' clients. Since a Type II SSAE 16 expresses an opinion on the operating effectiveness of controls over a period of time, it will generally cover a time frame of six months or one year. A Type I SSAE 16 expresses an opinion on the design of internal controls as of a point of time, and will therefore be as of a specific date (rather than for a specific period, as in a Type II).
7. How long does a SSAE 16 audit take and what demand will it put on my organization?
The duration of a SSAE 16 is dependent on the type of procedures performed. A SSAE 16 Readiness Assessment will generally take less than a week to complete fieldwork, with a consultative report delivered to the service organization one to two weeks later. Fieldwork for a Type I SSAE 16 generally takes one to two weeks for most organizations, although highly complex or large organizations may take longer. A Type II SSAE 16 generally takes two to four weeks of fieldwork, again with longer durations for larger or more complex environments. Both Type I and Type II reports generally are issued within four weeks of completion of fieldwork.
Fieldwork is the period during which our auditors gather information about the service organization's control environment and perform tests of controls. We limit the amount of time we spend at the location of the service organization to that which is necessary to gather the necessary information to perform procedures. We find that those organizations who are sufficiently prepared with the information requested prior to our arrival experience limited demand and interruption of day-to-day activities. Typically, once the required information is gathered, final procedures will be conducted off-site.
The duration of a SSAE 16 is dependent on the type of procedures performed. A SSAE 16 Readiness Assessment will generally take less than a week to complete fieldwork, with a consultative report delivered to the service organization one to two weeks later. Fieldwork for a Type I SSAE 16 generally takes one to two weeks for most organizations, although highly complex or large organizations may take longer. A Type II SSAE 16 generally takes two to four weeks of fieldwork, again with longer durations for larger or more complex environments. Both Type I and Type II reports generally are issued within four weeks of completion of fieldwork.
Fieldwork is the period during which our auditors gather information about the service organization's control environment and perform tests of controls. We limit the amount of time we spend at the location of the service organization to that which is necessary to gather the necessary information to perform procedures. We find that those organizations who are sufficiently prepared with the information requested prior to our arrival experience limited demand and interruption of day-to-day activities. Typically, once the required information is gathered, final procedures will be conducted off-site.
8. What part of my organization is audited during a SSAE 16? How much does it cost?
Only the process and controls directly related to the service for which the SSAE 16 is being conducted are evaluated. Other aspects of the service organization are generally not impacted by the SSAE 16 audit.
The cost of a SSAE 16 is dependent on the type of audit performed and the nature of the service being assessed. Readiness Assessments are generally less costly than Type I SSAE 16s, which in turn are generally less costly than a Type II SSAE 16. However, if a Readiness Assessment or Type I SSAE 16 is performed, that work can often be leveraged to reduce the fees of moving to a Type II. As one would expect, procedures for larger and more complex organizations are typically more time intensive, resulting in higher audit fees. Generally first year SSAE 16 audits are more time instensive. In subsequent years, we are typically able to leverage the knowledge, documentation and procedures already obtained. Therefore, we are able to offer reduced pricing for our clients who agree in advance to multi-year services. We offer our clients the option of selecting a fixed price or fees and expenses arrangement. Our pricing is highly competitive. We work with our clients to create a cost effective SSAE 16 solution that meets the needs of the service organization, their clients and their clients' auditors.
Only the process and controls directly related to the service for which the SSAE 16 is being conducted are evaluated. Other aspects of the service organization are generally not impacted by the SSAE 16 audit.
The cost of a SSAE 16 is dependent on the type of audit performed and the nature of the service being assessed. Readiness Assessments are generally less costly than Type I SSAE 16s, which in turn are generally less costly than a Type II SSAE 16. However, if a Readiness Assessment or Type I SSAE 16 is performed, that work can often be leveraged to reduce the fees of moving to a Type II. As one would expect, procedures for larger and more complex organizations are typically more time intensive, resulting in higher audit fees. Generally first year SSAE 16 audits are more time instensive. In subsequent years, we are typically able to leverage the knowledge, documentation and procedures already obtained. Therefore, we are able to offer reduced pricing for our clients who agree in advance to multi-year services. We offer our clients the option of selecting a fixed price or fees and expenses arrangement. Our pricing is highly competitive. We work with our clients to create a cost effective SSAE 16 solution that meets the needs of the service organization, their clients and their clients' auditors.
