Apr 11, For the period July 1, to January 31, Statement on Standards for Attestation Engagements,. AT Section SOC 3 Report. Dec 8, Statement on Standards for Attestation Engagements (SSAE). No. 16, Reporting on Controls at a Service Organization, was finalized by the. Sep 25, Statement on Standards for Attestation. Engagements No. 16, Report on Controls at the. National Finance Center for October 1, , to.
|Language:||English, Spanish, Indonesian|
|Genre:||Business & Career|
|ePub File Size:||27.88 MB|
|PDF File Size:||16.31 MB|
|Distribution:||Free* [*Sign up for free]|
70, Service Organizations, as amended.) Source: SSAE No. Effective for service auditors' reports for Statements on Standards for Attestation Engagements. (Supersedes Statement on Standards for Attestation Engagements Nos. 10–17 . Materiality in Planning and Performing the Engagement – Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is an auditing standard Create a book · Download as PDF · Printable version.
SSAE 16 was released in April as the reporting standard for all service auditors' reports and was issued to replace the Statement on Auditing Standards No. Auditors use SSAE 16 as a guide when creating two specific audit reports: The first is a snapshot to reflect the status of an organization's controls on a particular day, and the second is to incorporate historical data that reflects how controls have changed over time. Auditing standards, like SSAE 16, are used by auditors to guide the discovery of controls, including security controls, in all types of organizations, such as data centers, internet service providers ISPs and other entities that incorporate information security controls. The use of such standards is important in order to help both organizations and auditors in demonstrating information security compliance with regulations, such as Sarbanes-Oxley SOX. A main difference between SSAE 16 and SAS 70 is that SSAE 16 requires the management of the service company to provide a written assertion to the auditor stating its description accurately represents its organizational system. The organization's system description consists of the services provided by the organization and any and all operational activities that affect the service's customers. In addition, the organization must also assert that its description honestly describes its control objectives and the time period in which they are meant to be evaluated.
An audit performed under this standard is designed to produce a report for use by the auditors of the clients of a service organization in planning a financial statement audit of the client of the service organization.
The new standards are largely similar to SAS In April Under the new standards. M a n a g em en t A ss e rt i o n Similar to Sarbanes-Oxley requirements. Under SAS The new standards outline specific guidance in on the written management assertion. Management needs to consider the risks that threaten the achievement of control objectives and whether the controls in place are sufficient to mitigate those risks.
D e sc r i p t i o n of th e S ys t e m Unlike the SAS 70 requirement that service organizations provide a description of controls. A formal or informal process may be used by management to assess such risks.
Significant differences from SAS As such. No such disclosure is required if members of internal audit are used under the direction of the service auditor.
The description of the system should identify the following: Us e o f p r i o r ev i d en c e The assessment of the design of controls Type 1 or the operating effectiveness of controls Type 2 must solely be based on evidence obtained during the period under review.
S ub s e r v i c e O r g a n i sa t i on s The new standards allow for service organisations to describe the use of subservice organisations either through the inclusive method or the carve-out method. This is similar to exisitng SAS 70 requirements. A full description of the related control objectives and controls of the subservice organisation.
U se o f I n t e r n a l a ud i t A service auditor may use the work of internal audit. Only a statement indicating its intended use by user entities and their auditors is required.
No such acknowledgement is required but written representation is required. Anomalies Deviations may not be considered as anomalies Allows deviations identified in tests of controls to be considered anomalies which are not when performing tests of controls.
Subsequent Events Subsequent events up to the date of the report are required to be disclosed if the nature and significance is such that its disclosure is necessary to prevent users report from being misled.
This is not addressed.
If written representations are not provided by the service organization. Documentation Completion Requires engagement documentation to be completed on a timely basis after the date of the report and no later than 60 days following the report release date.
Engagement Acceptance and Continuance Management of the service organization must acknowledge and accept responsibility for providing the service auditor with written representations at the conclusion of the engagement.
The standard does not require the inclusion of a statement restricting the use of the report to specified parties. Direct Assistance A service auditor may use the work of the internal audit function in a direct assistance capacity. Below is an overview of those differences identified: Restricting Use The report includes a statement in a prescribed format restricting its use to management of the service organization.
Disclaimer of Opinion If written representations are not provided by the service organization. Only requires completion on a timely basis but does not define the number of maximum days. L i s t i ng o f d i f f e re nc e s Although the US standard was written to mirror the international standard. If a service auditor becomes aware that the deviations resulted from intentional acts by service organization personnel. No such requirement. M a k i n g a d e c i s i o n o n w h i c h s t a n da r d t o fo llo w The decision by service organisations of whether to follow SSAE 16 or ISAE will be clear in most cases.
If the service organisation is located within the US. They have recognised an increasing demand for reports on controls on matters other than financial reporting. Trust Services Report for Service Organisations.
E Privacy. Examples include reporting on controls surrounding the privacy of customer information or reporting on controls ensuring the availability and security of computing facilities. C Processing integrity. Information designated as confidential is protected as committed or agreed. The system is available for operation and use as committed or agreed.
Confidentiality or Privacy. SOC 2 reports specifically address one or more of the following five key system attributes: A Security. The new categories that were drafted to correct these misuses are as follows: This is a SSAE 16 report discussed above in detail.
When the US standard was issued. SAS 70 reports were often misused as a means to obtain assurance for these other matters. Similar to SOC 2. SSAE 16 would apply. A type 1. The AICPA have designed three reports which are intended to provide users with valuable information to address the risks associated with an outsourced service.
Personal information is collected. Processing Integrity. The system is protected against unauthorised access both physical and logical. B Availability. D Confidentiality. Internationally the equivalent is ISAE. An audit performed under this standard is designed to produce a report for use by the auditors of the clients of a service organization in planning a financial statement audit of the client of the service organization.
Because the service organisations client has outsourced part of its processing to the service organization, a portion of the clients internal control is located at the service organization.
In order to plan a financial statement audit of the client, the clients auditors must either perform procedures at the service organization or rely upon the report of another auditor on the description of controls in place at the service organization over the processing of the clients transactions.
In the absence a current Service Auditor's Report, a service organization may have to handle multiple audit requests from its customers and their respective auditors.
Multiple visits from user auditors can place a strain on the service organization's resources. A Service Auditor's Report ensures that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor's requirements.
Furthermore, a Service Auditor Report with an unqualified opinion that is issued by an Independent Accounting Firm differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities.
A Service Auditor's Report also helps a service organization build trust with its user organizations i. Both are effective for reporting periods on or after 15 June and widely used SAS 70 report on controls at a service organization will cease to be relevant after that date.
The new standards are largely similar to SAS Each enables a service auditor to perform two types of engagements: A type 1 engagement in which the service auditor reports on the fairness of the presentation of managements description of the service organizations system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
A type 2 engagement in which the service auditor reports on the fairness of the presentation of managements description of the service organizations system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. Highlights of managements assertion are as follows: 3.
T h e n e e d f o r c ha n g e It should be based on suitable criteria which management should select to be used to make their assertion and should state such criteria within the assertion The IAASB and AICPA are not striving to completely revise standards on how to report on controls at a service organization. Furthermore, a growth in the number of companies outsourcing services called for an update to the two decade old standard to meet the demands of the current global marketplace.
Significant differences from SAS 1. This places additional responsibilities on service organizations management.