Presentation on theme: "Presented by: Michael Pinna – WeiserMazars LLP and Joel Lanz - Joel Lanz, CPA P.C. June 28, 2011."— Presentation transcript:
Presented by: Michael Pinna – WeiserMazars LLP and Joel Lanz - Joel Lanz, CPA P.C. June 28, 2011
2 The End of the SAS 70 The Statement on Auditing Standard (SAS) No. 70 is being replaced by the Statement on Standards for Attestation Engagements (SSAE) No. 16. This new reporting standard became effective for periods ending on or after June 15, It is in effect NOW!
3 The End of the SAS 70 One of the most immediate differences between the SAS 70 and the SSAE 16 is that the new SSAE 16 reporting now falls under an attest standard and not an auditing standard.
4 Why Was the SSAE 16 Introduced? New Technologies. Since the inception of the SAS 70 in the mid-1990’s, technologies have evolved at a frantic pace. Some current technologies like the Internet, mobile computing, wireless communications and technology hosting were just in the beginning phases when the original SAS 70 standard was developed. These technologies have moved computing into the mainstream of life in the modern world.
5 Why Was the SSAE 16 Introduced? Growth in Outsourcing. With the growth in technology, many firms have begun embracing outsourcing as a method of providing for their technology needs without necessarily developing or “buying” the resources. This has lead to an increased demand for firms to gain assurance that the controls and processes employed by these outsourcing firms are in place and operating effectively.
6 Why Was the SSAE 16 Introduced? Globalization. The advances of technology and communications have made the world smaller. Electronic information can now be stored and accessed from almost anywhere in the world.
7 Why Was the SSAE 16 Introduced? International Standards Convergence. The SSAE 16 standard incorporates the key elements that have been introduced in other international standards such as the International Standard on Attestation Engagements (ISAE) While there are differences between the SSAE 16 and the ISAE 3402, the new SSAE 16 moves the United States in line with the international standards.
8 Why Was the SSAE 16 Introduced? Overuse of the SAS 70. SAS 70 reports were being used in ways for which they were never intended such as: Operation reports with little or no controls relevant to financial reporting at the user organizations. SAS 70 as a de facto standard in “certifying” control compliance (i.e., SAS 70 certified “branding” on many web sites or press releases).
9 SAS 70 “Remnants” in the SSAE 16 Service Organization Control (SOC 1) Reports in the SSAE 16 standard will continue to addresses controls over financial reporting as was performed in a SAS 70. More to come on reporting later in the session!
10 SAS 70 “Remnants” in the SSAE 16 The use and preparation of Type I and Type II Reports. A Type I report will cover the design of controls assertion and will still be “as of” a point in time. A Type II report will not only address the design of controls assertion but also cover the test of operating effectiveness assertion. This report will cover a period of time of no less than 6 months (recommended).
11 SAS 70 “Remnants” in the SSAE 16 The use of sub-service organizations by reporting entities remains the same. Entities may still the use of the carve-out or the inclusive methods of reporting on the use of sub-service organizations.
12 SAS 70 “Remnants” in the SSAE 16 The SSAE 16 report will continue to have a restricted use in that the report should address controls over financial reporting that relevant to the service organization’s clients and the independent auditors of their clients.
13 What has Changed with the SSAE 16? Management Assertion. The SSAE 16 report will include a written assertion by the management of the service organization that: The description of the system(s) and processes in the SSAE 16 report are fairly presented. Any changes to the system(s) and processes during the period covered by the report have been disclosed (type II reports). The controls related to the control objectives stated in the description were suitably designed and/or operating effectively.
14 What has Changed with the SSAE 16? Use of Suitable Criteria. The service auditor must assess whether management has used suitable criteria in: Preparing the description of the system(s) and processes in the SSAE 16 report. Evaluating whether the controls were suitably designed to achieve the control objectives in the description. Evaluating whether the controls operated effectively throughout the specified period to achieve the control objectives stated in the description (for a type II report only).
15 What has Changed with the SSAE 16? Minimum criteria for evaluating suitability include: Fairness of presentation relative to the description of the system Presents how the system was designed and implemented Includes relevant changes during the period Does not omit or distort relevant information Suitability of the design of controls Management identified the risks that threaten the achievement of the control objective Controls, if operating as described, provide reasonable assurance that control objectives would be achieved
16 What has Changed with the SSAE 16? Minimum criteria for evaluating suitability include: Operating effectiveness Consistent application throughout the period Manual controls applied by individuals with appropriate competence and authority
17 What has Changed with the SSAE 16? Design of Controls Assessment. The design of controls assessment now covers that same period of time as the operating effectiveness assessment in a type II report. In a type II SAS 70 report, the design of controls assessment was as of a specific date.
18 What has Changed with the SSAE 16? Use Internal Audit. The service auditor may use the work of an internal audit department in performing the fieldwork for a SSAE engagement. In order to use the work of an internal audit department, the service auditor needs to evaluate if the work performed by the internal audit department is adequate for the service auditor’s purposes. If the internal audit department work is used in performing testing of controls for a type II report then the use of internal audit and the service auditor’s procedures with respect to that work should be disclosed in the section of the report that details the nature and extent of testing performed.
19 Reporting Under the SSAE 16 The AICPA has outlined 3 types of Service Organization Control (SOC) reports that can be produced as follows: SOC 1 Report— Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting. This is the old SAS 70 reporting. SOC 2 Report— Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. SOC 3 Report— Trust Services Report for Service Organizations.
20 Reporting Under the SSAE 16 SOC 1SOC 2SOC 3 FocusControls that are likely to be relevant to a user entity’s financial reporting Security, Availability, Processing Integrity, Confidentiality, and/or Privacy Types of processes and systems Limited to processes and systems that are relevant to financial reporting May be performed on any process or system CriteriaDesigned to address needs of financial statement audit Designed to provide assurance to customers, business partners and other interested parties Intended AudienceUser organization’s and their auditors Customers and business partners Customers, business partners and other interested parties Use / distributionRestrictedMay be restrictedGenerally unrestricted
21 Using the New SSAE 16 Reports There is new guidance that will be in place for the users of the new SSAE 16 SOC reports. This guidance will be a new Statement on Auditing Standard - Audit Considerations Relating to an Entity Using a Service Organization. Effective date for the implementation of this SAS is not until December 15, 2012.
22 Using the New SSAE 16 Reports The objectives of the user auditor as defined by the new SAS, when the user entity uses the services of a service organization, are to: Obtain an understanding of the nature and significance of the services provided by the service organization and their effect on the user entity’s internal control relevant to the audit. This understanding should be sufficient to identify and assess the risks of material misstatement. Design and perform audit procedures responsive to those risks.
23 Why Did Clients Believe That SAS 70 Was Their Savior? A Sample of Actual Vendor Representations Regarding SAS 70...it has successfully issued its SAS No. 70 Type 1 report…. The self-initiated audit demonstrates...commitment to its customers as a reliable, transparent, secure ASP that is focused upon minimizing risk, increasing value, maintaining service availability, and preserving client privacy and data security. Protecting customer data is the cornerstone of...success. Our SAS No. 70 audit is an important way to independently validate how well we manage...security....passing the SAS No Type I audit is a key requirement for companies who wish to perform data-center and Web-hosting functions for financial...or other security-sensitive or regulated organizations. Such institutions can’t use...firms that haven’t passed the SAS No. 70 audit. Thus, many Clients believed that further oversight in these areas would be a duplication of efforts – that the vendor had already independently performed these assurance efforts!!!! Thus, many Clients believed that further oversight in these areas would be a duplication of efforts – that the vendor had already independently performed these assurance efforts!!!!
But The Real Challenge Right to Audit Clause Too expensive to execute – chargebacks and out of pocket Difficult to include in contracts given vendor consolidation May “offend” the vendor if executed What to do on a vendor audit
The Client’s “Compliance” Dilemma and Why It Needs SOC Financial Reporting Accuracy Data Integrity Industry Regulations Security Privacy Availability
26 COSO Internal Control – Integrated Framework
27 From the AICPA’s Perspective- What is the Client’s Role? Management of a User Entity is responsible for assessing and addressing the risks faced by the User Entity. Although management of a User Entity can delegate tasks or functions to a service organization, the responsibility for those tasks and the service organization provides cannot be delegated. A User Entity who relies on a service organization that processes, maintains, or stores information for the User Entity needs to understand and monitor the systems being relied upon for such services in order to: assess stewardship or accountability assess the entity’s ability to comply with certain aspects of laws and regulations assess the integrity of the information provided assess the activities of the entity
28 Sample Vendor Management Risks Where’s the data? Privacy protection programs Enforcing SLAs and key contract terms Implementing unique Client contract terms Control over additional or special services e.g., unique Client add-on or upgrade Accuracy of invoices Vendor’s BCP test does not include Client unique issues Third party reports – how much can we rely on them? Inability to perform periodic due diligence Ability to monitor vendor activities
29 AICPA’S User Methodology (adapted from “Understanding How Users Would Make Use of a SOC 2 Report,” AICPA Trust/Data Integrity Task Force) The User Entity should understand whether: the services relevant to the User Entity are included. there is a clear system description. the controls are relevant, with consideration of planned reliance on the operational and compliance controls, and the relationship to complementary User Entity activities. the report covers a period of time or a point in time and whether that time period is relevant to the User Entity’s coverage needs. there is contiguous coverage between reports. there should also be consideration of the level of change and the cyclical nature of processing within the system as well as historical information about the system.
30 SOC 1 New User SAS The new clarified SAS for user auditors - Audit Considerations Relating to an Entity Using a Service Organization - expands on how a user auditor audits the financial statements of a user entity to enable user auditors to fulfill two important requirements of the risk assessment standards: (1) to obtain an understanding of the entity, including its internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement and (2) to design and perform further audit procedures responsive to those risks. The effective date of the new SAS is for audits of financial statements for periods ending on or after December 15, When the new SAS becomes effective, it will replace the guidance for user auditors currently in AU 324
31 How To Incorporate SOC Reports into IT Vendor Management Programs discuss the need Managers and their auditors (both internal and external) should discuss the need to actually review the report. good source of background At a minimum, the report could provide risk managers with a good source of background information on the vendor. policy describing the need Review vendor management policy describing the need, if any, for various departments to review the report. The report will clarify whether it is a Type I or Type II report. Type I – Identified Controls Not Tested Type II – Identified Controls Tested “The Service Organization’s Description of Controls” generally not audited by the auditor The report section entitled “The Service Organization’s Description of Controls” enables the vendor to provide background information that it deems to be important to readers. This section is generally not audited by the auditor and should be treated as such. “Information Provided by the Service Auditor,” The next section, “Information Provided by the Service Auditor,” provides additional details about the suitability of controls identified to support the control objectives. vendor and not the auditor specifies the control objectives In a Type II report, the auditor tests the effectiveness of these controls. Because the vendor and not the auditor specifies the control objectives being reported on, potential weaknesses can be identified by noting the types of control objectives normally associated with the given process that are not included. “User Control Considerations,” Typically the last section, “User Control Considerations,” normally a one to two-page section of the report, is a must-read for all. This section identifies those controls identified by the service auditor that are the responsibility of the customer..
32 About the Presenters Michael Pinna Michael Pinna has over 22 years experience auditing IT, financial, and operational controls across a wide variety of industries including manufacturing and distribution, financial services, not-for-profit, technology, and professional services. Michael is currently the Director of the Information Technology Assurance practice at WeiserMazars LLP and is responsible for all IT aspects of many of the Firm’s SOX engagements and also specializes in performing SAS 70 and Sarbanes-Oxley IT reviews. Before joining Weiser, Michael held positions with First Data Corporation as a Director of Technology Audit, with Ernst & Young as a Senior Manager, and with Deloitte & Touche as a Manager. Michael is currently serving as the Chairman of the Technology Assurance Committee within the New York State Society of CPAs (NYSSCPA). Michael can be reached at
33 About the Presenters Joel Lanz Joel’s niche practice provides technology risk management, information security and IT audit services to various organizations. Joel serves on the Editorial Boards of The CPA Journal and Bank Accounting & Finance, Joel also serves on the AICPA’s CITP Credential Committee and co-chaired the AICPA’s 2010 and 2011 Top Technologies Task Force. Joel is an adjunct professor of accounting at SUNY – College at Old Westbury. Joel formerly chaired the NYSSCPA’s Information Technology and Technology Assurance Committees. Joel can be reached at