Apparently I missed this big change. Statement on Auditing Standards No. 70 (SAS 70) was a widely used reporting tool for service organizations all throughout the globe. However, the migration towards more globally accepted accounting principles has put SAS 70 in the rearview mirror. Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization completely replaces SAS 70, effective for reports with periods ending on or after June 15, 2011.
SOC 1: SSAE 16 Type 1 Examination
A SSAE 16 Type 1 examination is a report on management’s description of a service organization’s system and the suitability of the design of controls.
SOC 1: SSAE 16 Type 2 Examination
A SSAE 16 Type 2 examination is a report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.
One of the biggest differences introduced by SSAE 16 is that the service auditor is required to obtain a written assertion from management of the organization about the matters the CPA is reporting on. The organization’s management provides the auditor with a written assertion to be included in the SSAE 16 examination report. The written assertion states the following:
- Management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date (or for a Type 2 – throughout the specified period);
- The controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives as of the specified date (or for a Type 2 – throughout the specified period);
- The controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives (Type 2 only).
I’ll need to dive deeper into the changes. For now, I need to make sure I say “SSAE 16” instead of “SAS 70”.
Sources:
- The New SAS 70 by Rachel Murillo, Editorial Director, NASPP
- Service Organizations: Applying SSAE No. 16, Reporting on Controls at a Service Organization Guide (SOC 1)
- Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2SM) – AICPA Guide