SSAE 18 is the current set of standards and guidance for reporting on organizational controls and processes at service organizations. It supersedes SSAE 16 and is intended to update and simplify previous standards.
Among other changes, SSAE 18 additionally requires that service organizations identify subservice organizations and provide risk assessments to auditors.
Not only does the SSAE 16 provide a more comprehensive and descriptive assessment of controls, it also allowed user organizations to appropriately assess the reliability of the controls at a service organization. When the AICPA made the decision to replace the SAS 70 , they thought it more appropriate for a service organization audit to be an examination of a system, which is different than an audit of financial statements.
The SSAE 16 report requires a description of a system along with a written assertion by management on the design and operating effectiveness of the controls being reviewed. The SAS 70 simply provided a description of controls and did not include any type of management assertion.
The SSAE 16 has been around long enough now to have gained popularity and familiarity by both service organizations and their clients. However, we still receive a fair amount of questions regarding the purpose of an SSAE 16 audit report, the components, and the benefits of a service organization obtaining an SSAE 16 audit report.
An SSAE 16 report allows organizations to assess the risks associated with doing business with particular service providers. They are similar in many ways, but the key difference is the period of time covered by the report. There are several benefits associated with obtaining an SSAE 16 audit report. Statement on Auditing Standards No. The controls framework and scope are determined by the service organization, not the auditor.
The Type I reports on the controls from a moment in time, essentially, an attestation that the controls exist and that they are adequate and appropriate for the stated control objectives.
The Type II report actually requires that those controls be exercised and audited over some control period, typically months. It is really the Type II report that consumers want to see. Most service auditors believe that new SSAE no. Up until the issuance of ISAE no. Many aspects of new ISAE no. Once CPAs who are familiar with the existing service organization standards become familiar with the geography of the new standards user auditor guidance in the SASs, service auditor guidance in the SSAEs , it is likely that the transition will not be difficult.
A popular misunderstanding about SAS no. However, no such certification exists nor will it exist under SSAE no. An SSAE 16 report as with a SAS 70 report is primarily an auditor-to-auditor communication, designed to provide user auditors with detailed information about controls at a service organization that affect the information provided to user entities.
Such information generally is lengthy and detailed and could not be communicated via a certification. Use of an SSAE 16 report, like a SAS 70 report, is restricted by the service auditor to only the service organization client, user entities and user auditors.
Therefore, an SSAE 16 report is not a general use report and, as such, should not be used by anyone other than the specified parties named in the restricted use paragraph. The changes also place the standards in areas that better reflect the nature of the subject matter and the work performed. It is effective for reports for periods ending on or after June 15, Earlier implementation is permitted.
It expands on how an auditor audits the financial statements of an entity that outsources tasks that affect its financial statements to enable the auditor to fulfill two requirements of the risk assessment standards: obtaining an understanding of the entity, including its internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement, and designing and performing further audit procedures responsive to those risks.
Requirements for CPAs examining and issuing reports on controls over subject matter other than financial reporting are housed in AT section , Attest Engagements , of the attestation standards, not under SSAE no.
Judith M. Sherinsky jsherinsky aicpa. To comment on this article or to suggest an idea for another article, contact Kim Nilsen, JofA editorial director, at knilsen aicpa. Archived webcast. Read a summary of SSAE no. For more information or to make a purchase, go to cpa2biz. On-Site Training.
To access courses, go to aicpalearning. More from the JofA :. Find us on Facebook Follow us on Twitter. Making the right moves now can help you mitigate any surprises heading into
0コメント