Risk assessment and review of financial statement risk is a constant process in the management and governance of an organization. An area of concern that is often overlooked is adequate documentation of the internal control (IC) environment within and around the use of independent third-party service organizations. Your concern revolves around controls in place over services you have purchased. For this reason, Statement on Standards for Attestation Engagements (SSAE) 16 reporting is available to provide additional information regarding the IC structure, and it also provides additional assurance in the form of documented testing of the IC structure as written.
SSAE 16 made changes to Statement of Accounting Standard (SAS) 70. Putting aside the differences between the Statements, (the past is the past), the overall impact of this reporting on a nonprofit organization can be significant. If an organization relies upon the contracted service organization to provide services that are significant or material to the organization’s financial statements, then without adequate internal controls, the information used by a nonprofit could include erroneous information if the service organization’s controls are not operating effectively. An organization’s financial statement auditor typically requests this SSAE 16 report in order to evaluate the overall effectiveness of the IC environment within the targeted service organization.
There are multiple different SSAE 16 reports that can be issued by an independent auditor reviewing the IC structure of a service organization (SOC 1, SOC 2 and SOC 3 reports). In addition to the different reports available, the SOC 1 report can be further distinguished as a Type 1 or Type 2 report. Additional guidance is available to distinguish the difference between the reports. With regard to typical processes outsourced (payroll processing, medical claims processing), a SOC 1, Type II report provides information on the IC structure, and it also provide details of actual testing performed on the IC structure to test the effectiveness of the controls. A section within the SOC 1, Type II report even provides recommended user (nonprofit) organization controls that should be in place and operating effectively to ensure that data provided to the service organization is accurate.
It is the responsibility of management, and ultimately the responsibility of those charged with governance of the organization, to ensure that the internal control structure surrounding the processes and procedures in place is operating effectively. This includes controls surrounding: 1) providing the information to the contracted service organization and 2) reviewing the information received in return from the contracted service organization. Obtaining and reviewing a service organization’s SSAE 16 report will not mitigate these noted responsibilities. However, an organization’s management may find it concerning if multiple exceptions are noted surrounding a service organization’s processing in one (or more) specific area(s). Additional controls can be put in place if it is noted that a service organization is failing to adhere to its specified internal control structure. Requesting and reviewing an SSAE 16 report is a critical process when considering engaging or monitoring an ongoing relationship with a third-party service provider.
For more information about SSAE 16 and not for profit organizations, please contact us.
© 2013 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.