SSAE 16 replaces SAS 70

SAS 70 was the existing auditing standard followed by service organizations. It required service auditors of service organizations to give a description of their design controls.  To adopt to the globally accepted changes in accounting principles certain amendments were required to me made in SAS 70. This led to the introduction of SSAE 16 by the Auditing Standards Board (ASB) of American Institute of Certified Public Accountants (AICPA). These changes helped in aligning companies with the new international service organization reporting standards – ISAE 3402. It has brought American companies in competition at international level as well as encouraged companies from all over the world in giving business to United States companies.

SSAE 16 stands for Statement of Standards for Attestation Engagements No. 16. It is the new attestation and auditing standard. It addresses the engagements conducted by service providers on service organization for reporting design control and operational effectiveness.  It requires the companies to report the description of the system along with an Assertion from the Management. These are the two major changes from SAS 70 in this standard. For the reporting period ending on or after 15 June 2011 it has become the new standard for control reporting at service organizations.

The main differences between SAS 70 and SSAE 16 can be briefed as: The AICPA felt that examination of service providers was more of an attest job rather than audit job. Therefore, it was removed from SAS 70.Now in SSAE 16 the service provides had to describe their systems where earlier they had to address their controls only. Now, the management had to provide a written Assertion along with sustainability of controls. In case it is a Type 2 report they also have to provide the effectiveness of their operations. In the new standard, auditors review will be cover the effectiveness of controls over a periods rather than a specific date. Earlier the companies which relied totally on the services given by the providers will now have to address their service providers by including them in the system description. They will have to provide them with attestation on how they monitor their controls. SAS 70 did not take assistance of internal audits neither allowed there disclosure however the new standard continues to allow for use of internal audit, however, when using the internal audit function tests performed by internal audit are disclosed as well as service auditor tests of internal audit work.

Moving from SAS 70 to SSAE 16 will be challenging for companies in the initial stage. However, the sooner the organizations adopt this standard the more beneficial it can be for them. They will have more time to understand the standard and assess what all is lacking in their system. They can then start on implementing those processes. Furthermore, the companies would get an upper edge over their competitors if they adopt this standard early. As once it becomes mandatory they will have a stronger environment and emerge as market leaders.