SSAE 16 compliance is a hot topic today indeed, within the regulatory compliance world, and for very good reason. Statement on Standards for Attestation Engagement (SSAE) no. 16, known simply as SSAE 16, is effectively replacing the longstanding SAS 70 audit standard for reporting periods ending on or after June 15, 2011. In short, if you’re a service organization and have undergone SAS 70 Type I and/or Type II audits in the past, it’s time you gain a comprehensive understanding of three (3) critical points pertaining to the new SOC compliance. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
1.Learn about the new AICPA SOC framework. In an effort to address many of the reporting needs for today’s emerging service organizations, the American Institute of Certified Public Accountants (AICPA) developed a comprehensive platform known as Service Organization Control (SOC) reports. The SOC framework, which consists of SOC 1, SOC 2, & SOC 3 reports, provides service organizations with an effective means for illustrating and ultimately reporting on their underlying control environment when compared to that of the historical SAS 70 auditing standard, which unfortunately became a “one size fits all” auditing tool. As such, the newly released AICPA SSAE 16 standard is the professional standard utilized for issuing SOC 1 reports, which provides formats for reporting as Type 1 or Type 2 reports. The myriad new “alphabet soup” for service organization reporting is a clear departure from the default SAS 70 auditing standard which had become ubiquitously applied overtime, but we all will eventually become very familiar the new reporting arrangement. For points of clarity, consider the following:
- SOC 1 Reporting results in the issuance of SSAE 16 Type 1 or Type 2 Reports.
- SOC 2 Reporting utilizes the AICPA AT Section 101 professional standard, resulting in Type 1 or Type 2 reports.
- SOC 3 Reporting utilizes the SysTrust/WebTrust assurance services, also known as the Trust Services, which are a broad-based set of principles and criteria put forth jointly by the AICPA & CICA.
Alternatively, SOC 2 and SOC 3 reporting organizations may be better served by alternatively performing a limited scope of relevant control specifications that are understood and identified by the user organization(s) and thus receiving an “Agreed Upon Procedures” (AUP) report that is performed in concert with the user organization and service organization’s auditor [AT 201].
2.Understand the Relationship between SSAE 16 and the ICFR Concept. A core component of any SSAE 16 assessment (either Type 1 or Type 2) should essentially include control objective(s) that relate to internal control over financial reporting, more commonly known as “ICFR.” Thus, as a service organization, you’ll may need to ask yourself this question: “What services and controls do we, as a service organization, have in place that affect the internal control over financial reporting (ICFR) for entities that utilize our services (i.e., user organizations)?” If you have difficulty answering this question or cannot provide credible evidence that illustrates the ICFR concept within your core operational activities and supporting control environment for clients, you may need to opt for SOC 2 or SOC 3 reporting. Some User Organizations or their auditors may incorrectly be requesting SOC 1 compliance for service organizations that are not specifically responsible for ICFR functions to the user organization(s).
When considering the relevance of ICFR functions to the user organization(s), one may attempt to first determine if there are any financial data that are “provided by the service organization” that appear (or are used within) numbers or data that appear on the financial statements of the user organizations. Moreover, is the service organization providing services that affect: the (1) record-keeping (accounting entries or accounting function [sometimes estimates]) of a user organization; (2) the actual authorization of transactions (revenue recognition, or timing of expenses, or capital expenditures) that may appear in the accounting system; and (3) control over (custody of) the assets and/or liabilities that appear on the user’s balance sheet(s). The SSAE 16 report and its underlying ICFR items are intended to be an auditor-to-auditor reporting of the ICFR functions “in place” (in existence – Type 1) and “effectiveness” thereof (Type 2) for evaluating audit risk, control risk, and/or detection risk as may be relevant for financial statement auditors of, or internal auditors at, the user organizations.
Note: The mere custody of the financial data by organization “A” for which another service organization “B,” with “B” being the responsible service organization, does not dictate the need for SOC 1 reporting at organization “A,” but more appropriately “A” may be SOC 2. “B” is the responsible party for the ICFR, while “A” is the SOC 2 facilitating entity.
Generally, candidates for SSAE 16 compliance include entities such as: (1) Third Party Administrators (TPA); (2) actuarial and trust services; (3) payroll processors; (4) firms that are registered investment advisors (RIA); and other service organizations that have established a clear link between the ICFR concept and the SOC 1 reporting framework.
Example: In a payroll processor (a service organization), there are calculations from data input by user that determine: accrued payroll; payroll expense; payroll taxes; withholding taxes; accrued or paid deferred compensation; accrued vacation deferral; qualified and non-qualified deferred plan accruals; and other financial estimates and calculations that clearly impact the financial statements of user organizations. This is clearly and definitively ICFR with controls administered by the service organization.
3.There are a number of critical differences between SAS 70 and SSAE 16 that you need to be aware of. That’s right, the migration from SAS 70 to SSAE 16 is not merely an academic exercise, but rather, it requires you to have a practical understanding and working knowledge of the following subject matter at a minimum for purposes of discussing with the auditor(s):
- The description of the service organization’s "system" and overall “system of controls.”
- The written assertion by management of controls in place and effectiveness thereof.
- The concept of “monitoring” as a determination of making the assertion.
- The identification of risk and what risk assessment procedures are in place.
- The SSAE 16 compliance reporting period relevant to user organization.
- The internal audit function (particularly over ICFR, where & when necessary)
- Subservice organization reporting, which include the “inclusive” and “carve-out methods.”
Services organization seeking to undergo SSAE 16 or AT 101 compliance would highly benefit from a Readiness Assessment along with additional consultative services to better assess one’s reporting needs with the new AICPA SOC framework. To learn more and obtain a competitive, fixed-fee regarding SOC compliance, contact Mr. Christopher G. Nickell, CPA, via direct dial 1-800-277-5415, ext. 706 via email at firstname.lastname@example.org.