Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

AICPA Guide Explains New Service Organization Audits

Tammy Whitehouse | July 6, 2011

The American Institute of Certified Public Accountants has published new guidance for auditors who are reporting on controls at service organizations that provide critical data to public company financial statements. Public companies that rely on such third-party audit reports need to be mindful of new standards and new guidance to assure the reports are reliable for their own financial reporting purposes.

The guide, titled Service Organizations: Applying SSAE No. 16, Reporting on Controls at a Service Organization Guide (SOC 1), steers auditors through the proper audit of a service organization under the new standard. Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, takes effect for periods ending on or after June 15, 2011, to replace the historical SAS No. 70.

The new SSAE 16 audit is meant to give mass assurance to the various customers of service organizations that the data they rely on is under sound internal control. It covers any number of third-party service providers who handle functions like payroll, data hosting or processing, credit processing, clearing houses, etc.

The most significant difference under the new standard is the requirement for auditors to obtain from management of the service organization a written assertion about the state of controls. The guide provides illustrative examples that can help management in providing those assertions. It also helps auditors understand the kind of information that auditors of financial statements will need to find in a service auditor's report.

Judith Sherinsky, senior technical manager for audit and attest standards at the AICPA, said auditors can expect management to drag their feet on providing the required assertions. “Sometimes management may not want to do that,” she says. “But this serves as a reminder to management that these are your assertions.”

Sherinsky said the new audit report is also intended to provide service organizations' customers with a greater window of assurance about the soundness of controls. Previously, auditors provided assurance according to a specific date in the audit report; now the assurance is required to cover a defined reporting period, not just a single date in time.

The new standard also makes a distinction between controls that are important to financial reporting compared with controls that might be important to other business performance issues, like security, confidentiality, and privacy.