So you have been performing a SAS 70 for the last couple years, or, are getting ready prepared to embark on your first SAS 70, and all of a sudden you hear that a brand new standard has been issued!

Don’t worry about it!
SSAE 16 is an improvement to the current standard for Reporting on Controls at a Service Organization, the SAS70, with some changes that will help bring your company and the rest of the companies in the US up to date with new international service organization reporting standards, ISAE 3402. This will help allow you and your counterparts in the US be able to compete on an international level, allowing for companies around the world to be able to use YOU as their service organization with complete comfort.
One very important issue that you should be very aware of is that SSAE 16 will formally be issued in June 2010 with an effective date of June 15, 2011, meaning that if you are not on top of this new standard soon, you need to be. Many organizations have a 12 month testing period that begins in July, and if this sounds like your company, you will be required to be compliant with the New Standards as of July 1, 2010.

Major differences between SAS 70 and the New Standard, SSAE 16 and ISAE 3042:

1) Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:

• The fairness of the presentation of the description of the service organization’s system;
• The suitability of the design of the controls to achieve the related control objectives stated in the description; and
• The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)

2) During the process of understanding the service organization’s system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.

Changes that Directly Impact Type II Engagements

1) The Service Auditor’s opinion on the fairness of the presentation of description of the service organization’s system and on the suitability of the design of the controls would be for a full period, as opposed to a specified date. (i.e. Your report would be for the 6 months covering July 2010 through December 2010.)

• The Type II report would identify the customers to whom use of the report is restricted as “customers of the service organization’s system during some or all of the period covered by the service auditor’s report”

2) Evidence obtained in prior engagements related to the satisfactory operation of controls in prior periods will not be sufficient to reduce the amount of testing performed.

Expected Change Which Didn’t Occur:

While it was expected that SSAE 16 would build upon the previous SAS 70 standard of reporting only on financial reporting activities and allow a service organization to branch out in to other areas of their business, such as regulatory compliance and performance metrics, this was not included within the initial final version of the New Standard and there has been no guidance as to when it would be expected, if ever, to be.

The Previously Expected Change Which Didn’t Occur, Now Has with SSAE-18!

The long awaited update that was needed, but, left unaddressed the during the last update has now been addressed, allowing a service organization to branch out into other areas of their business. This allows coverage of regulatory compliance, performance metrics, and any other set of agreed-upon procedures with definable metrics.

This is a very welcomed enhancement to the standard and service organizations should contact a service provider today to learn more about how SSAE-18 can benefit them.

SSAE-18 reports will be effective for reports issued after May 1, 2017.