Extreme (or Not So Extreme?) Makeover: SAS 70 Edition


By Heather Haemer

In March 2010, the AICPA’s Auditing Standards Board (ASB) released Statement on Standards for Attestation Engagements 16 (SSAE 16), Reporting on Controls at a Service Organization. SSAE 16 is a standard that addresses reports on the description, design and operating effectiveness of controls related to outsourced services performed by service organizations. Outsourced services can vary from a service organization assisting with processing transactions, performing one or more business or IT functions or hosting the IT environment for a user entity. 
The ASB voted to release the final standard in January 2010. The ASB’s vote also pertained to proposed Statement on Auditing Standards (SAS) Audit Considerations Relating to an Entity Using a Service Organization (Redrafted). The ASB’s vote occurred on the heels of the International Auditing Assurance Standards Board (IAASB) adopting International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization. The ASB and IAASB worked closely to ensure alignment of the U.S. and international standards. 


Audit Considerations Relating to an Entity Using a Service Organization (Redrafted) will amend and replace SAS 70, Service Organizations (AICPA, Professional Standards, vol. 1, AU sec. 324).  SAS 70 previously contained guidance for auditors auditing the financial statements of entities that use a service organization (user auditors) and for auditors reporting on controls at a service organization (service auditors).  SAS 70 will contain guidance for user auditors only.  SSAE 16 serves as the guidance for service auditors.

SSAE 16 is applicable for reports for periods on or after June 15, 2011, although earlier implementation is permitted. Key changes that service organizations should be aware of include a requirement that management of the service organization provide a written assertion and that management identify risks that threaten the achievement of the control objectives stated in the description of the service organization’s controls. Other existing requirements of service organization management that were included in the SAS 70 guidance still apply.

SSAE 16 also contains changes that service auditors will need to understand and apply when reporting on controls at a service organization, although overall, it does not appear that the changes will have an extreme impact on how service auditors will perform these engagements.

Schneider Downs provides accounting, tax, wealth management and business advisory services through innovative thought leaders who deliver the expertise to meet the individual needs of each client. Our offices are located in Pittsburgh, PA, and Columbus, OH

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax-related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.