Statement on Standards for Attestation Engagements No. 16
Many entities outsource business tasks or functions to other entities. In Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, the entity that outsources a task or function is known as a user entity, and the entity that performs a service for user entities is known as a service organization. An example of a service organization is an investment adviser that invests assets for user entities, maintains the accountability for those assets, and provides statements to user entities that contain information that is incorporated in the user entities’ financial statements, for example, the fair value of exchange traded securities, or dividend and interest income. Another example of a service organization is a data center that provides applications and technology that enable user entities to process financial transactions.
In SSAE No. 16, an auditor who audits the financial statements of a user entity is known as a user auditor. In auditing a user entity’s financial statements, the user auditor needs to obtain evidence to support assertions in the user entity’s financial statements that are affected by information provided by the service organization. In some cases, the user entity is able to implement controls at the user entity over the service performed by the service organization. In other cases, the user entity relies on the service organization to initiate, execute, and record the transactions. In the latter case it may be necessary for a user auditor to obtain information about the effectiveness of controls at the service organization that affect the quality of the information provided to user entities. The user auditor could visit the service organization and test the service organization’s controls that are relevant to the user entity’s internal control over financial reporting . However, because many entities use the service organization, a number of user auditors may visit the service organization, require the assistance of service organization personnel, and disrupt the business of the service organization.
Another alternative is for the service organization to (1) prepare a description of the service organization’s system, including the control objectives and related controls that are likely to be relevant to user entities’ internal control over financial reporting, and (2) engage a service auditor to report on the fairness of the presentation of the description, the suitability of the design of the controls, and in certain engagements, the operating effectiveness of the controls. That report, including the description of the system, can be used by all the user auditors to obtain information about the controls at the service organization that are relevant to the user entities’ internal control over financial reporting.
Changes Introduced by SSAE No. 16
The following are some changes in the requirements for a service auditor’s engagement introduced by SSAE No. 16:
- The service auditor is required to obtain a written assertion from management of the service organization about the subject matter of the engagement. For example, for a type 2 engagement, the service auditor would obtain a written assertion by management about whether in all material respects, and based on suitable criteria
- Management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented throughout the specified period,
- The controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed throughout the specified period to achieve those control objectives, and
- The controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives.
- Suitable criteria are used to measure, present, and evaluate the subject matter. Paragraphs 14–16 of SSAE No. 16 provide suitable criteria for the fairness of the presentation of a service organization’s description of its system and the suitability of the design and operating effectiveness of its controls.
- The service auditor may not use evidence obtained in prior engagements about the satisfactory operation of controls in prior periods to provide a basis for a reduction in testing, even if it is supplemented with evidence obtained during the current period.
- The service auditor is required to identify in the description of tests of controls any tests of controls performed by internal auditors and the service auditor’s procedures with respect to that work.
- The service auditor’s examination report must contain the report elements identified in paragraph .85 of AT Section 101. (These report elements are tailored to a service auditor’s engagement in paragraphs .52 and .53 of SSAE No. 16.)
CONTACT US to learn more about our Assurance Services.
ABOUT US: Freed Maxick CPAs is Western and Upstate New York’s (NY) largest public accounting firm and a Top 100 firm in the U.S. Freed Maxick provides audit, tax and consulting services to closely-held businesses, public (SEC) companies, not-for-profits and governmental entities in Buffalo, Rochester, Syracuse, Albany and NYC, New York.