SAS 70 vs. SSAE 16
Kenneth R. Henry
School of Accounting
Florida International University
What is SAS 70?
• Statement on Auditing Standards (SAS) No. 70 defines
standards an auditor must employ to assess the
contracted internal controls of service organizations.
• Service organizations, such as hosted data centers,
insurance claims processors and credit processing
companies, provide outsourcing services that affect
the operation of the contracting enterprise.
• SAS 70 was developed by the American Institute of
Certified Public Accountants (AICPA) to simplify
criteria for audit standards originally defined in 1988.
History of SAS 70
• SAP No. 29 October 1958
Scope of the Independent Auditor's Review
of Internal Control
• SAP No. 41 November 1971
Reports on Internal Control
• SAP No. 54 November 1972
The Auditor's Study and Evaluation of Internal Control
• SAP No. 3 December 1974
The Effects of EDP on the Auditor's Study and Evaluation
of Internal Control
• SAS No. 44 December 1982
Special-Purpose Reports on Internal Accounting Control
at Service Organizations
History of SAS 70 (2)
• SAS No. 48 July 1984
The Effects of Computer Processing on
the Audit of Financial Statements
• SAS No. 55 April 1988
Consideration of Internal Control
in a Financial Statement Audit
• SAS No. 70 April 1992
Service Organizations
• SAS No. 78 December 1995
Consideration of Internal Control in a Financial Statement
Audit: Amendment to Statement on Auditing Standards No. 55
• SAS No. 88 December 1999
Service Organizations and Reporting on Consistency
History of SAS 70 (3)
• SAS No. 94 May 2001
The Effect of Information Technology on the Auditor's Consideration of
Internal Control in a Financial Statement Audit
• S-OX 404 July 2002
Management requirement to document and evaluate internal controls
• PCAOB No. 2 March 2004
An Audit of Internal Control over Financial Reporting in Conjunction with an
Audit of Financial Statements.
Note: Appendix B refers to Service Organizations.
• PCAOB No. 5 May 2007
An Audit of Internal Control over Financial Reporting that is Integrated with
an Audit of Financial Statements.
Note: Appendix B17-B17 covers Service Organization considerations.
• ISAE No. 3402 December 2009
Assurance Reports on Controls at a Service
• SSAE No. 16 April 2010
Reporting on Controls at a Service Organization
Protecting Your Bank
• Service provider responsibility to design and
implement controls over their processes
• Auditor responsibility to report on internal
controls at service provider
• Bank responsibility for internal controls,
no matter who processes the information
• Where does the buck stop?
Common Loop Holes
• Type 1 versus Type 2 report
• Management assertions
• Non-financial controls
Service Providers: Deliverables
• Type 2 report
• Additional report on non-financial Internal
controls
• Compliance with SSAE 16 and ISAE 3402
Comparing SAS 70 and SSAE16
• SSAE 16 - “attestation” standard, while SAS 70 - “auditing”
standard.
• ISAE 3402 standard is an “assurance” standard, comparable to
US attestation
• SSAE 16 requires description of the “system” and a written
assertion by management, whereas
SAS 70 requires description of “controls” and no assertion.
– many organizations may have to revise prior descriptions
to meet the new requirements for SSAE 16 reporting.
• SSAE 16 requirements for a description of its “system” are
considered more comprehensive and expansive than the SAS
70 auditing standards description of “controls”.
Comparing SAS 70 and SSAE16
• Management should identify the risks that threaten the
achievement of the stated control objectives and evaluate
whether the identified controls sufficiently address the risks to
achieving the control objectives.
• Service auditor must disclose any reliance on internal audit
• Certain changes to the format of the service auditor’s opinion.
• Type 1 report, as of a specific date,
Type 2 report, throughout a specified period
Evaluating Service Provider Reports
• If a current SAS 70 report uses the inclusive method for one
or more subservice organizations, early discussions with
the subservice organization(s) are critical. An assertion
report from subservice organization management may be
difficult to obtain.
• Early communication with subservice organization
management will reduce the risk of the subservice
organization being unable or unwilling to provide an
assertion report when the final report is issued.
• Determine whether all subservice organizations that affect
user entities’ financial statements have been identified.
• Review contracts to determine whether the term SAS 70
is used. Consult legal counsel regarding any required
changes and assess the impact on existing contracts.
Thoughts for Service Providers
• Leverage any Sarbanes-Oxley compliance testing. Some
controls in scope for Sarbanes-Oxley compliance address
your own financial reporting risks as well as the control
objectives for services you provide to your clients.
• Most service organizations have many processes to
monitor the services provided to clients. Often your control
environment, monitoring, and information/communication
controls provide sufficient evidence as to the application of
controls. These include:
–
–
–
–
–
–
Supervisory review of control procedures
Management oversight
Quality assurance programs
Service-level agreement reporting
Regular internal audits
Complaint/incident management