Many entities outsource business tasks or functions to other entities. The entity performing the outsourced service is called a service organization and the entity using that service is called a user entity. Previously, SAS No. 70, Service Organizations, contained the requirements and guidance for CPAs reporting on controls at service organizations and for user auditors auditing the financial statements of entities that use a service organization. SAS No. 70 is now being divided into parts and replaced by two new standards.
SSAE No. 16 for Service Auditors
In April, the AICPA Auditing Standards Board issued Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization. SSAE No. 16, which provides the requirements and guidance for a service auditor reporting on a service organization’s controls that are relevant to user entities’ internal control over financial reporting, supersedes the guidance for service auditors in SAS No. 70, Service Organizations (AICPA, Professional Standards, vol. 1, AU sec. 324). It is effective for service auditors’ reports for periods ending on or after June 15, 2011. Earlier implementation is permitted.
Clarified Auditing Standard for User Organizations
As part of its Clarity Project, the ASB also issued Clarified Statement on Auditing Standards, Audit Considerations Relating to an Entity Using a Service Organization. This SAS will supersede the requirements and guidance for user auditors in SAS No. 70, Service Organizations (AICPA, Professional Standards, vol. 1, AU sec. 324), and address the user auditor’s responsibility for obtaining sufficient appropriate audit evidence in an audit of the financial statements of an entity that uses one or more service organizations. The effective date will be the same as the other clarified standards, which is no earlier than for periods ending after December 15, 2012 (early implementation is not permitted).
Two Authoritative Guides to Come
In early 2011, two authoritative guides will be released. One, a rewrite of the current SAS No. 70 Service Organizations audit guide, will provide guidance on examining and reporting on a service organization’s controls that are relevant to user entities’ internal control over financial reporting. The other guide will provide guidance on examining and reporting on a service organization’s controls over subject matter other than financial reporting, such as security, availability, processing integrity, confidentiality or privacy of user entities’ information or operations.
Resources to Help CPAs
Recognizing the complexity of the topic, the AICPA is developing resources to help members understand and implement the new standards. The AICPA has developed an FAQ to explain changes in the standards resulting from the issuance of SSAE No. 16, including moving the requirements and guidance for service auditors from SAS No. 70 to that SSAE. In addition, this archived webcast held on June 28, SAS 70 the Next Generation: Planning for the New Service Organization Standards, covers SSAE No. 16 and the new Audit Guides.