EXPERT ADVICE

From SAS 70 to SSAE No. 16 – and Everything in Between

Think you need a SAS 70 report — or its replacement, the SSAE No. 16 — to demonstrate your credentials? You may… but maybe not. Service Organization Controls (SOC) reports are designed to help service organizations build trust and confidence in their processes and controls through a report issued by an independent certified public accountant. Organizations rely on these reports to demonstrate their credentials to their clients or client’ auditors. But as CPAs, we often have to explain to our clients which reports they need… or don’t need.

The SAS 70 has been a must-have in the service industry for many years, providing effective and accepted guidance for reporting controls at service organizations. The SAS 70 standard is governed by the American Institute of Certified Public Accountants (AICPA) and was first issued in April 1992. However, in April 2010, the AICPA issued Standards for Attestation Engagements No. 16 (SSAE 16), titled “Reporting on Controls at a Service Organization,” to replace the SAS 70. (In SSAE 16, a business that performs a specialized function for other businesse is known as a “service organization” and a business that outsources the function to a service organization is known as a “user entity.”)

Service organizations should be aware that the new standard, while not significantly different from the present standard, does present some changes that will impact them and will become effective on or after June 15, 2011.

SSAE 16 continued to focus on information and controls provided by the service organization that affect the client or user entity’s financial statement. For example, a service organization that processes medical bills on behalf of hospitals provides the hospitals with a billing and collection hosted platform (Software as a Service) to record and process their invoices. This information flows through to the hospitals’ financial statements.

What Has Changed?

For those of you who’ve had a SAS 70 done already, you’ll find that there are few differences in the new standard. The most significant change is the requirement that management of the service organization must provide a written assertion. In a Type 1 report, management needs to attest to the fair presentation and design of controls. In a Type 2 report, management needs to attest to the fair presentation, design, and operating effectiveness of controls in place.

To provide a written assertion, management will need to have a solid foundation for making that assertion. Management should implement processes to periodically evaluate controls’ designs and operating effectiveness.

For example, management can perform yearly risk assessments to identify risks that could affect the control objectives; perform internal audit procedures or self assessments to prepare its description of the system; and evaluate whether controls are suitably designed and operating effectively.

If the service organization relies on subservice organizations — for example a data center — and management elects to use the inclusive method, management will need to obtain a written representation from the subservice organization.

Different Reports Meet Different Needs

SOC reports such as SSAE 16 are designed to help service organizations build trust and confidence in their processes and controls. However, not all SOC reports have the same purpose. The purpose of the SSAE No. 16 (like its predecessor SAS 70) is to report on controls over financial reporting at a service organization.

Its findings cannot be used as assurance that controls over compliance and operations are effective (for example), though SAS 70 reports have, on occasion, been marketed to report on controls over information security or privacy controls.

Other reports provide assurance on other controls. When service providers need to report on controls relevant to security, availability, processing integrity, confidentiality or privacy, they have two options.

The first option is the SOC 2 Report or AICPA Guide: Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy (currently under development), which provides a description of the service organization’s internal controls.

The second option, the SOC 3 Report, uses the AICPA/Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. In this report, a description of the processing and controls of the service organization is not provided.

Which Report Is Right?

Service organizations are trying to build trust with their customers; identifying the proper SOC Report for your organization can be challenging. A

table on the AICPA website is a helpful tool to understand which SOC report will be best for your organization.


Jorge Rey, CISA, CISM, CGEIT, and Tyler Quinn, CPA, CISA, provide IT advisory and assurance services at Kaufman, Rossin & Co.Rey can be reached at [email protected]. Quinn can be reached at [email protected].

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

E-Commerce Times Channels