AICPA releases new standard that supersedes SAS 70

The AICPA recently issued the long-awaited new standard that is going to supersede the existing standard commonly known as "SAS 70." The new standard, Statement on Standards for Attestation Engagements 16 (SSAE 16), goes in effect for periods dat
Press Release - May 23, 2010

Online, May 23, 2010 (Newswire.com) - The AICPA recently issued the long-awaited new standard that is going to supersede the existing standard commonly known as "SAS 70." The new standard, Statement on Standards for Attestation Engagements 16 (SSAE 16), goes in effect for periods dated on or after June 15, 2011. To obtain a copy of the standard, please visit the AICPA website.

Based on our initial analysis, the following are the most relevant and/or the biggest changes introduced by SSAE 16:

* Management will now be required to include an assertion as part of its description section to be provided to your customers. In most cases, the assertion is similar to the representations about design, implementation and operating effectiveness that are already provided to your auditor.

* If you use the inclusive method to include subservice organizations used by your company (e.g., data hosting location), the subservice organizations will also be required to provide an assertion similar to the one provided by management.

* Section II of the report will be further enhanced to more clearly describe the service organization's system. As defined by SSAE 16, a service organization's system includes "aspects of the service organization's control environment, risk assessment process, information and communicating systems (including relevant business processes), control activities and monitoring activities that are relevant to the services provided." In addition to the existing description of controls, the description of the system should cover the following additional items, among other things:
- Description of the services provided, including classes of transactions processed
- Description of the procedures by which services are provided, including transaction initiation, authorization, recording, processing and reporting
- Description of the process to prepare reports provided to customers
- Other aspects of the COSO internal control framework relevant to the user entities
- Any changes that occur during the audit period

* SSAE 16 is still focused on financial reporting only, despite early speculation that operating and compliance objectives would be allowed.

Share:

Tags: ssae-16, ssae16

About SSAE-16.org

View Website

Andrew
Press Contact, SSAE-16.org

8016690251
SSAE-16.org
1852 Quartz St.
Coventry, RI 02816