SAS 70 to SSAE 16: How to Review your Vendors Internal Control Report
Posted by Teresa Bockwoldt on Wed, Feb 29, 2012 @ 08:19 PM
SSAE 16 - a new accounting standard for evaluating service organizations' operational and financial controls - will replace SAS 70 effective June 15, 2011.
This change has been in the works at the American Institute of CPA's (AICPA) for at least a year and was prompted the AICPA's desire to (1) be in alignment with international accounting standards; and (2) clarify how internal controls audits at service organizations should be conducted and how those audits can be used by the service providers or their customers for compliance or marketing purposes.
Along with the new standard are three new reports - called Service Organization Control (SOC) reports -- that replace the SAS 70 Type 1 and Type 2 reports.
The AICPA website is offering a variety of resources (some free, some not) to help the auditing community understand SSAE and SOCs. After spending time reviewing this resources, I could see the evolution in AICPA's thinking with respect to the way the AICPA wanted SAS 70 reports to be used, and the way companies were actually using these reports. Case in point: an FAQ document published in February 2011 suggests that there was never a SAS 70 certification (despite what service organizations claimed) and there would not be a SSAE 16 certification. However, the AICPA is offering the next best thing to a SSAE 16 certification - a seal of approval available with a SOC 3 report - which can be used by service organizations for marketing purposes.
My sense is that the AICPA recognized the market realities -- and potential for additional CPA engagements -- and softened their stance, creating a set of reports that both meets companies' desire to get more value out of their audits and preserves the integrity of the audit, the auditor, and the AICPA.
For a high-level overview of how these changes might affect your company or audit practice, sign up to receive our tip sheet - 4 Tips - What to Consider in the Transition to SSAE 16. You can get that here.
Or to receive our detailed report analysis for performing a review of the new SSAE 16 SOC-1 reports simply use the button below to sign up and download it.
