Many entities outsource business tasks or functions to other entities. In Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, the entity that outsources a task or function is known as a user entity, and the entity that performs a service for user entities is known as a service organization. An example of a service organization is an investment adviser that invests assets for user entities, maintains the accountability for those assets, and provides statements to user entities that contain information that is incorporated in the user entities’ financial statements, for example, the fair value of exchange traded securities, or dividend and interest income. Another example of a service organization is a data center that provides applications and technology that enable user entities to process financial transactions.
In SSAE No. 16, an auditor who audits the financial statements of a user entity is known as a user auditor. In auditing a user entity’s financial statements, the user auditor needs to obtain evidence to support assertions in the user entity’s financial statements that are affected by information provided by the service organization. In some cases, the user entity is able to implement controls at the user entity over the service performed by the service organization. In other cases, the user entity relies on the service organization to initiate, execute, and record the transactions. In the latter case it may be necessary for a user auditor to obtain information about the effectiveness of controls at the service organization that affect the quality of the information provided to user entities. The user auditor could visit the service organization and test the service organization’s controls that are relevant to the user entity’s internal control over financial reporting . However, because many entities use the service organization, a number of user auditors may visit the service organization, require the assistance of service organization personnel, and disrupt the business of the service organization.
Another alternative is for the service organization to (1) prepare a description of the service organization’s system, including the control objectives and related controls that are likely to be relevant to user entities’ internal control over financial reporting, and (2) engage a service auditor to report on the fairness of the presentation of the description, the suitability of the design of the controls, and in certain engagements, the operating effectiveness of the controls. That report, including the description of the system, can be used by all the user auditors to obtain information about the controls at the service organization that are relevant to the user entities’ internal control over financial reporting.
Two Types of Engagements
SSAE No. 16 contains the requirements and guidance for a service auditor reporting on a service organization’s controls. It enables a service auditor to perform two types of engagements:
Requirements and Guidance for Service Auditors Moved to SSAEs
Prior to the issuance of SSAE No. 16, the requirements and guidance for service auditors and user auditors was included in SAS No. 70, Service Organizations (AU section324). The AICPA’s Auditing Standards Board, as part of its project to converge audit, attest, and quality control standards with those of the International Auditing and Assurance Standards Board (IAASB), decided that the guidance for service auditors in AU section 324 of Statements on Auditing Standards should be moved to the SSAEs, and the guidance for user auditors should be retained in AU section 324.
SSAE No. 16 is based on the IAASB’s International Standard on Assurance Engagements No. 3402, Assurance Reports on Controls at a Service Organization. At the end of April 2010, the ASB will issue a new SAS for user auditors Audit Considerations Relating to an Entity Using a Service Organization that is based on the IAASB’s International Standard on Auditing 402, which bears the same title as the proposed SAS. When the new SAS becomes effective, it will replace the guidance for user auditors currently in AU section 324. The effective date of the proposed SAS is for audits of financial statements for periods beginning on or after December 15, 2010.
Changes Introduced by SSAE No. 16
The following are some changes in the requirements for a service auditor’s engagement introduced by SSAE No. 16: