Register Below to Receive Updates & Useful Information

Download the "5-Step Vibato Difference"

Internal Controls Training

Follow Us

Download the
'Vibato Internal Control Suite Product Overview'

.

Our CEO Says...

"If you are going to be known for something, be known for delivering. At Vibato, we come through on that promise."

- Bill Bockwoldt, CEO, Vibato

Download "5 Steps to an Effective Segregation of Duties Analysis" now!

SOD Whitepaper

Browse by Tag

Current Articles | RSS Feed RSS Feed

SAS 70 to SSAE 16: How to Review your Vendors Internal Control Report

  
  
  
  

SSAE 16 / SAS 70 Review Instructions

SAS 70 to SSAE 16: How to Review your Vendors Internal Control Report

SSAE 16 - a new accounting standard for evaluating service organizations' operational and financial controls - will replace SAS 70 effective June 15, 2011.

This change has been in the works at the American Institute of CPA's (AICPA) for at least a year and was prompted the AICPA's desire to (1) be in alignment with international accounting standards; and (2) clarify how internal controls audits at service organizations should be conducted and how those audits can be used by the service providers or their customers for compliance or marketing purposes. 

Along with the new standard are three new reports - called Service Organization Control (SOC) reports -- that replace the SAS 70 Type 1 and Type 2 reports.  

The AICPA website is offering a variety of resources (some free, some not) to help the auditing community understand SSAE and SOCs. After spending time reviewing this resources, I could see the evolution in AICPA's thinking with respect to the way the AICPA wanted SAS 70 reports to be used, and the way companies were actually using these reports. Case in point: an FAQ document published in February 2011 suggests that there was never a SAS 70 certification (despite what service organizations claimed) and there would not be a SSAE 16 certification. However, the AICPA is offering the next best thing to a SSAE 16 certification - a seal of approval available with a SOC 3 report - which can be used by service organizations for marketing purposes.

My sense is that the AICPA recognized the market realities -- and potential for additional CPA engagements -- and softened their stance, creating a set of reports that both meets companies' desire to get more value out of their audits and preserves the integrity of the audit, the auditor, and the AICPA.

The transition from SAS70 to SOC 1 SSAE 16 reports has brought added complexity for companies using Service Providers. Vibato offers a SSAE 16 Review Checklist that will show you when to ask for a SSAE 16, what questions to ask, and how to review your vendors internal control report to ensure you understand what it means and so you can demonstrate your analysis to your stakeholders and external auditors.  

For additional information, follow these links to read our blog posts about:

 
Let's work! SAS 70 to SSAE 16 - A New Standard for Service Organizations
 Lightbulb  When to ask for a SAS 70 / SSAE 16
 Chalkboard  How to Properly Review a SAS 70

Watch our videos:

 Monitor  Click here to watch a video on How to Deal with your SSAE 16

Download our tip sheets:

 Download Download our tip sheet - "4 Tips - What to Consider in the Transition to SSAE 16."
Download Document Here

 

The SSAE 16 Review Checklist is available for purchase on our sister site, AccountingTemplates.com. Accountingtemplates.com contains nearly 1000 Internal Control Procedures™, like the SSAE 16 Review Checklist, that can help take the complexity out of your day-to-day accounting work and help you understand how to prepare your audit evidence documentation.

AccountingTemplates.com

Click Here to View the Checklist

Comments

There are no comments on this article.
Comments have been closed for this article.