The American Institute of Certified Public Accountants has published new guidance for auditors who are reporting on controls at service organizations that provide critical data to public company financial statements. Public companies that rely on such third-party audit reports need to be mindful of new standards and new guidance to assure the reports are reliable for their own financial reporting purposes.
The guide, titled Service Organizations: Applying SSAE No. 16, Reporting on Controls at a Service Organization Guide (SOC 1), steers auditors through the proper audit of a service organization under the new standard. Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, takes effect for periods ending on or after June 15, 2011, to replace the historical SAS No. 70.
The new SSAE 16 audit is meant to give mass assurance to the various customers of service organizations that the data they rely on is under sound internal control. It covers any number of third-party service providers who handle functions like payroll, data hosting or processing, credit processing, clearing houses, etc.
The most significant difference under the new standard is the requirement for auditors to obtain from management of the service organization a written assertion about the state of controls. The guide provides illustrative examples that can help management in providing those assertions. It also helps auditors understand the kind of information that auditors of financial statements will need to find in a service auditor's report.
Judith Sherinsky, senior technical manager for audit and attest standards at the AICPA, said auditors can expect management to drag their feet on providing the required assertions. “Sometimes management may not want to do that,” she says. “But this serves as a reminder to management that these are your assertions.”
Sherinsky said the new audit report is also intended to provide service organizations' customers with a greater window of assurance about the soundness of controls. Previously, auditors provided assurance according to a specific date in the audit report; now the assurance is required to cover a defined reporting period, not just a single date in time.
The new standard also makes a distinction between controls that are important to financial reporting compared with controls that might be important to other business performance issues, like security, confidentiality, and privacy.