The New Authoritative Guidance for Reporting on Service Organizations

by Ninad Shringarpure, Senior IT Auditor, Coalfire

Beginning June 15, Certified Public Accountants (CPAs) reporting on controls at a service organization in the United States will have new and better authoritative guidance. As service organizations become increasingly concerned about risks beyond financial reporting, such as compliance and operations, the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) has issued Standards for Attestation Engagements 16 (SSAE 16)*. This move was made to correct the misuse of Statement on Auditing Standards 70 (SAS 70) beyond its intended scope as a financial reporting mechanism. Now, SSAE 16 will effectively replace the requirements and guidance for auditors reporting under SAS 70.

Under SSAE 16, CPAs (also known as service auditors) can create two distinct types of reports for any entity that performs a specialized task or function for any other entity (also known as service organizations and user entities respectively). In the first report, the service auditor may state an opinion on the accuracy of the control description (does it describe what actually exists?) and whether these controls are suitably designed. Controls that are suitably designed and that operate effectively are able to achieve the related control objectives. In the second report, the service auditor repeats the above opinion, but also includes an opinion on whether the controls were operating effectively throughout the reporting time period.

Keep in Mind

As the transition is made from SAS 70 to SSAE 16, there are a few key changes that should be highlighted:

  • TSSAE 16 is an attest standard, not an audit standard.
  • The service organization must also provide a written assertion stating that the controls are fairly presented, suitably designed, and operating effectively to achieve the specified control objectives.
  • The service organization management must also prepare a description of the organization’s system—defined as the policies and procedures designed, implemented, and documented by management to provide customers with the services covered by the service auditor’s report.
  • The system description must specify control objectives and related controls. Management must also identify the risks that threaten the achievement of the control objectives.
  • SSAE 16 allows the service organization to describe the use of subservice organizations through either an inclusive method or a carve-out method of presentation.
  • The service auditor may use the independent work of internal audits or other control-related functions performed to support the organization’s testing (assuming there is an alignment of scope and timing between the independent work and the work of the service auditor).

Make the Right Choice

There are a wide variety of controls dealing with various subject matters that a CPA may need to examine and report on, including user entity financial reporting; security, availability, and processing integrity of systems; and the confidentiality of information processed for user entity customers. In order to make CPAs aware of the various standards available for examining and reporting on the wide variety of control topics within a service organization, the AICAP has defined three independent service organization control (SOC) engagements. Each of these SOC reports is designed to help service organizations meet their specific user needs:

  • SOC 1 Report – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
  • SOC 2 Report – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
  • SOC 3 Report – Trust Services Report for Service Organizations

For more detailed information on the different levels of SOC reports, visit the AICPA website.


K Financial - Transition from SAS 70 to SSAE 16

*International Standard on Assurance Engagement (ISAE 3402) was also drafted. While SSAE 16 and ISAE 3402 have some differences, they are substantially the same.