Industry Webinar Series SAS 70 ENDS EXIT TO SSAE 16 Transitioning from SAS 70 to SSAE 16 How Does This Apply to Your Organization? Cindy Boyle, Partner Rodney Walsh, Director BKD IT Risk Services
Agenda Service Organizations User Organizations Background Similarities Key Differences Transition Planning Conclusion Questions
Service Organizations Service Organization provider of services that may impact a user s (client s) financial reporting Such as: data centers transaction/claims processing centers application service providers bank processing centers Service auditor issues an opinion on a service organization's description of controls
User Organizations Users of the Service Organization typically considered your members or clients User Auditor (i.e., your client s auditor) is auditing the financial statements of your client SAS 70 assurance regarding Service Organization's controls
Background Statement on Auditing Standards No. 70 (SAS 70) issued in the early 90s International Standards two new standards International Standard on Assurance Engagements 3402 (ISAE 3402) The closely related U.S. Statement on Standards for Attestation Engagements 16 (SSAE 16) by the AICPA SSAE 16 will supersede SAS 70 beginning with reporting periods ending on or after June 15, 2011
Similarities SSAE 16 continues the focus on controls likely to be relevant to their user entities internal control over financial reporting (ICFR) SSAE 16 will have Type 1 and Type 2 reports similar in scope to the current SAS 70 reports The format of the reports will not be significantly different
Similarities Narrative description of controls: Basis for new description of the system Subservice organizations Included (inclusive method) Excluded (carve-out method) Intended users of the report Service organization s management Users User auditors
Key Differences: SAS vs. SSAE Attest standard, not an audit standard Consistency with international standards and existing attestation standards Increased focus on service organizations with services relevant to a user organizations internal control over financial reporting (ICFR) Reference to AT101 Attest Engagements for service organizations without ICFR relevance
Key Differences: Management Assertion A Management Assertion will be included in or attached to the SSAE 16 report States the system is Fairly represented Suitably designed and implemented The related controls were suitably designed to achieve the stated control That the controls operated effectively throughout the period (for a Type 2 report) Subservice organizations must provide a similar assertion when the inclusive method is used
Key Differences: Management Assertion The report will reference that management is responsible for Preparing the system description Providing the stated services Specifying the control objectives Identifying the risks Selecting and stating the criteria for the assertion (e.g. monitoring activities) Designing, implementing and documenting controls that are suitably designed and operating effectively
Key Differences: Auditor s Opinion vs. Management Assertion Auditor s Opinion remains in the role of providing assurance regarding management s assertions Auditor is not the entity responsible for the communication
Key Differences: System Description Currently a narrative description of controls Management must prepare a written description of the system More inclusive than it has been for many organizations and many CPA firms For inclusive subservice organizations, include their Related control objectives Related controls
Key Differences: System Description Components common to existing Descriptions of Controls Services covered Period covered Control objectives and related controls Complementary user controls
Key Differences: System Description Additional elements for the Description of the System Classes of transactions and details on related procedures and accounting records The capturing and addressing of significant events other than transactions Report preparation processes Other relevant aspects of the organization s Control environment Risk assessment process Information and communication systems Control activities and monitoring controls
Key Differences: Risks Management should Identify the risks that threaten the achievement of the stated services Identify the risks that threaten the achievement of the stated control objectives Evaluate whether the identified controls sufficiently address the risks to achieving the control objectives Risks to Services Control Objectives Risks to Control Objectives Control Activities
Other Key Differences Service auditor must disclose reliance on internal audit Conforming changes to service auditor opinion
Transition Planning Action Items for Service Providers
Transition Planning Promote current year awareness and improvements Determine effective date for your organization Follow up with specific readiness effort this fall or early Q1
Transition Planning Develop a Communication Plan Within your organization To your clients Client Internal Audit/Risk Management (i.e., other users of the report) Marketing material Web pages Contractual references
Transition Planning Review Scope Included/excluded services Services that impact your client s financial reporting Key third parties (sub-service organizations) Identify all relevant 3 rd party service organizations Existence and use of their SAS 70/SSAE 16 Commitments from 3 rd party relative to carve out or inclusive method Contractual /SLA impacts
Transition Planning Review System Description Services Scope Third parties (inclusive or carve out) Risks Objectives Controls
Transition Planning Assess Control Design Risk based Will impact control objectives Will impact supporting control activities Consider current SOX or other compliance efforts/ governance models and efforts
Transition Planning Consider Management Assertion Review basis for assertion Review sufficiency of current monitoring processes Need for direct testing of controls not sufficiently monitored
In Conclusion Develop a project plan Assign responsibilities Monitor the plan We are ready to assist Planning assistance Review of scope and 3 rd parties Risk Approaches Samples/Formats
Thank You Cindy Boyle, CPA, CFIRS, CIA Partner 501.372.1040 cboyle@bkd.com Rodney Walsh, CGEIT Director 816.221.6300 rwalsh@bkd.com