SAS 70 to SSAE 16: How to Review your Vendors Internal Control Report
SSAE 16 - a new accounting standard for evaluating service organizations' operational and financial controls - will replace SAS 70 effective June 15, 2011.
This change has been in the works at the American Institute of CPA's (AICPA) for at least a year and was prompted the AICPA's desire to (1) be in alignment with international accounting standards; and (2) clarify how internal controls audits at service organizations should be conducted and how those audits can be used by the service providers or their customers for compliance or marketing purposes.
Along with the new standard are three new reports - called Service Organization Control (SOC) reports -- that replace the SAS 70 Type 1 and Type 2 reports.
The AICPA website is offering a variety of resources (some free, some not) to help the auditing community understand SSAE and SOCs. After spending time reviewing this resources, I could see the evolution in AICPA's thinking with respect to the way the AICPA wanted SAS 70 reports to be used, and the way companies were actually using these reports. Case in point: an FAQ document published in February 2011 suggests that there was never a SAS 70 certification (despite what service organizations claimed) and there would not be a SSAE 16 certification. However, the AICPA is offering the next best thing to a SSAE 16 certification - a seal of approval available with a SOC 3 report - which can be used by service organizations for marketing purposes.
My sense is that the AICPA recognized the market realities -- and potential for additional CPA engagements -- and softened their stance, creating a set of reports that both meets companies' desire to get more value out of their audits and preserves the integrity of the audit, the auditor, and the AICPA.
The transition from SAS70 to SOC 1 SSAE 16 reports has brought added complexity for companies using Service Providers. Vibato offers a SSAE 16 Review Checklist that will show you when to ask for a SSAE 16, what questions to ask, and how to review your vendors internal control report to ensure you understand what it means and so you can demonstrate your analysis to your stakeholders and external auditors.
For additional information, follow these links to read our blog posts about:
|SAS 70 to SSAE 16 - A New Standard for Service Organizations|
|When to ask for a SAS 70 / SSAE 16|
|How to Properly Review a SAS 70|
Watch our videos:
|Click here to watch a video on How to Deal with your SSAE 16|
Download our tip sheets:
|Download our tip sheet - "4 Tips - What to Consider in the Transition to SSAE 16."|
The SSAE 16 Review Checklist is available for purchase on our sister site, AccountingTemplates.com. Accountingtemplates.com contains nearly 1000 Internal Control Procedures™, like the SSAE 16 Review Checklist, that can help take the complexity out of your day-to-day accounting work and help you understand how to prepare your audit evidence documentation.