The International Auditing and Assurance Standards Board (IAASB) issued ISAE 3402, Assurance Reports on Controls, at a Service Organization, in December 2007. It's the new standard proposed for improved reporting on internal controls at service organizations and one that will be recognized internationally.
At the same time, the AICPA revised SAS 70—which had been the standard for reporting on controls at service organizations—and replaced it with SSAE 16. This new standard for reporting went into effect on June 15, 2011.
What This Means for You
Overall, the changes are relatively small. There are, however, a few requirements you should know about. Whereas SAS 70 engagements were direct reporting in nature, SSAE 16 engagements are assertion based.
You and your management will need to prepare a description of your controls system instead of merely a description of the controls. You'll also need to select suitable criteria in preparing the description.
This is the most significant change. You and your management will need to prepare a written assertion that your controls are:
- Suitably designed (Type 1) or
- Suitably designed and operating effectively (Type 2) throughout the entire period.
In addition, your service auditor will be required to attest to your management’s assertion. For a fair presentation, the assertion may include separate testing or ongoing monitoring activities.
Reporting System Changes
Details of any significant changes to the system will need to be reported. This includes changes after the report period but before the report day. However, changes implemented up to 12 months before the report date do not need to be reported.
You'ill be responsible for identifying risks that could threaten the achievement of your control objectives.
The reporting requirements that apply to your controls will also apply to your subservice organizations.