In April 2010 the AICPA’s Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service OrganizationSSAE 16 is applicable when an entity (the user entity) outsources a business task or function to another entity (the service organization) and the data resulting from that task or function is incorporated in the user entity’s financial statements. One example of this is a health insurance company outsourcing the processing of medical claims to a claims processor and the resulting claims data being used to record the insurance company’s claims expense and related liability. In this example, even though the claims data is generated by the claims processor, management of the insurance company is still responsible for the accuracy of that data because it is included in their financial statements.
The auditor of a user entity’s financial statements (the user auditor) has the same responsibility for auditing data provided by a service organization as the auditor has for auditing other financial statement information. One way a user auditor may obtain evidence about the quality and accuracy of the data provided to a user entity by a service organization is to obtain a CPA’s report (a service auditor’s report) on controls at the service organization that affect data provided to the user entity and incorporated in the user entity’s financial statements. SSAE 16 enables a CPA to provide two types of service auditor’s reports:
- In a type 1 report, the service auditor expresses an opinion on whether the description of the service organization’s system (the nature of the service provided, how the service is performed, and the service organization’s controls over the service and related control objectives) is fairly presented and whether the controls included in the description are suitability designed.
- In a type 2 report, the service auditor’s report contains the same opinions that are included in a type 1 report but also includes an opinion on whether the controls were operating effectively.
Currently the guidance for service auditors reporting on controls at a service organization and for user auditors auditing the financial statements of a user entity is contained in AU Section 324 (originally issued as Statement on Auditing Standards (SAS) No. 70, Service Organizations). There are two major significant changes in SSAE 16, among others, that will affect a service auditor’s engagement: (1) management of the service organization will now be required to provide the service auditor with a written assertion about the fairness of the presentation of the description of the system, and about the suitability of the design and, in a type 2 engagement, the operating effectiveness of the controls; and (2) in a type 2 engagement, the description of the service organization’s system and the service auditor’s opinion on the description will cover a period, rather than being as of a specified date.
The guidance for user auditors, currently in AU Section 324, will be unchanged until a currently proposed SAS for user auditors, Audit Considerations Relating to an Entity Using a Service Organization (Redrafted), becomes effective. The proposed SAS does not contain any significant changes for user auditors. The new guidance for user auditors will remain in the SASs. SSAE 16 will be located in Section 801 of the attestation standards. SSAE 16 is effective for service auditor’s reports for periods ending on or after June 15, 2011, with earlier implementation permitted.
|
