SSAE 16: the SAS 70 2.0— what lies ahead? By John McLain CISA, CDFM and Omar Kuyateh CGFM, CDFM, CISA, CISM, CFE, PMP

Changes in the regulatory landscape have generated a need for additional information regarding internal control over financial reporting not currently covered by SAS 70, the AICPA’s Statement on Auditing Standards No.70, Service Organizations, issued in 1992. The new guidance is Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE 16). Both documents define the professional standards used by a service auditor to assess and report on the internal controls of a service organization. Service organizations can be any entity providing services to clients.

According to AICPA guidance in SAS 70 and SSAE 16, a service organization’s services typically effect the organization’s clients’ control environment. Examples of government sector service organizations include Medicare contractor organizations that process Medicare payments on behalf of the Centers for Medicare and Medicaid Services (CMS), such as Palmetto Government Benefit Administrators, Noridian Administrative Services LLC, Wisconsin Physicians Services Insurance Corporation and Highmark Medicare Services, Inc.

SSAE 16 is effective for reports for periods ending on or after June 15, 2011, but organizations can adopt it earlier if they wish. However, SSAE 16 does not significantly change the process of reporting on controls at a service organization. SSAE 16 does have additional changes that require more input from management.

Changes introduced by SSAE 16

The main changes introduced by SSAE 16 are as follows: Written management assertion System description Risks to achieving control objectives

Written management assertion

A new management assertion section is the most significant change to the report. Using the Medicare contractor example above, a contractor’s management isrequired to provide the service auditor with a written assertion. This assertion is that the system is fairly represented, suitably designed and implemented throughout the reporting period; that the related controls were suitably designed to achieve the stated control objectives throughout the period; and that the controls operated effectively throughout the period.

System description

The current Section II of the SAS 70 report, where management must prepare a written description of the system, expands under SSAE 16. Management must now describe the services covered; classes of transactions and details on related procedures and accounting records; the capturing and addressing of significant events other than transactions; report preparations processes; control objectives and related controls; complementary user controls and other relevant aspects of the organization’s control environment, risk assessment process, information and communication systems, control activities and monitoring controls.

Risks to the achievement of the control objectives

Under SSAE 16, service contractor management should now identify the risks that threaten the achievement of the stated control objectives and evaluate whether the identified controls sufficiently address the risks to achieving the control objectives.

Transitioning to SSAE 16 success factors

Transitioning from SAS 70 to SSAE 16 will present some challenges. Service organizations need to do the following:

1. Start talking with their service auditor to gain a better understanding of SSAE 16 and the auditor’s perspective.

2. Work with their service auditor to determine if adopting SSAE early (before April 2011) is a better alternative than sticking with SAS 70.

3. Review internal monitoring or testing processes to determine if these are sufficient to support the written management assertion required by SSAE.

4. Select and document the criteria that management will use to support its written management assertion.

5. Identify the risks that threaten achieving the control objectives.

6. If they rely on subservice organizations, entities should determine if the carve-out or inclusive method would be used. If the inclusive method is selected, start talking with the subservice organizations about the new requirements (e.g., written assertion from the subservice provider in the report).

7. Review the existing SAS 70 description of controls and make needed enhancements (including missing components) to describe the system in full.

8. Develop a communication plan regarding the new standards for their customers, their customer-facing employees, and their sales and contract teams.

9. Review existing customer contracts to determine if these will need to be amended to address the transition to the new standards. Revise contract templates to account for the transition to the new standard.

It is advisable for service organizations to discuss theimplications of the new standards and early adoption of SSAE 16 as soon as possible. Service organizations that now get a SAS 70 report should consider waiting until the effective date unless there are economic benefits if they adopt early, or if waiting for the effective date will result in higher expenses.

About the Authors

John McLain is currently an Audit Director at Grant Thornton, LLP. He has more than 14 years of information technology audit, controls, governance risk and compliance (GRC), auditing, and consulting experience. He has considerable knowledge and experience in dealing with GRC and how it influences effective operations in the work place and data center. Mr. McLain has an extensive knowledge of large complex control environments, systems analysis and application controls.

Omar Kuyateh is currently a Senior Manager at Grant Thornton, LLP. He has more than 13 years experience providing audit, accounting and advisory services, of which nine has been dedicated to servicing Federal governmentagencies. Omar’s work experience includes direct knowledge planning and executing federal audit, and advisory engagements, specifically, helping federal government agencies with compliance with OMB CircularA-123, Appendix A, Review of Internal Controls over Financial Reporting.

About Grant Thornton LLP

Grant Thornton LLP, founded in Chicago in 1924, is one of the largest accounting and management consulting firms in the world. Grant Thornton’s Global Public Sector practice, based in Alexandria, Virginia, is a global management consulting business with the mission of providing responsive and innovative financial, performance management, human capital management and systems solutions to governments and international organizations. We have provided comprehensive, cutting-edge solutions to the most challenging business issues facing the public sector.

Contact us

John McLain, DirectorT 703.837.4460E John.McLain@gt.com

Omar Kuyateh, Senior Manager T 703.637.2908E Omar.Kuyateh@gt.com

or visit www.GrantThornton.com/publicsector