HA&W
404-892-9651

Feature Article

06-18-10

SSAE 16 Supersedes SAS 70

>> HA&W News Archive

The AICPA recently announced the release of SSAE 16, which replaces SAS 70. SSAE 16 must be used for any service auditor report for periods ending on or after June 15, 2011, with early adoption permitted. (This means that SAS 70 reports cannot be issued for situations where the test period ends on June 15, 2011 or after.)

The release of SSAE 16 is very significant because of its heightened focus on financial controls of companies that use a service provider (e.g., cloud computing/SaaS, business process outsourcing, etc.). In fact, SSAE 16 is restricted to only scenarios where a service provider impacts the internal control of financial reporting (“ICFR”) of their user companies. Moreover, SSAE 16 states that the system and controls described in the report need to highlight those aspects that are known to, or could be expected to, impact a user's financial controls.

This is a very significant change, because in the past, companies often had SAS 70 reports for situations where there was not a clear linkage to financial controls of their users. Still, in other cases, companies who impacted their users’ financial controls would prepare reports that did not include detailed description of the aspects of the system that impact financial controls, as well as controls established over those aspects of their system.

So while in the past, many companies thought of a SAS 70 report as a one-sized-fits-all approach, that notion is clearly and strongly dispelled by SSAE 16. This is critically important as more and more cloud computing models come online and become mission critical components to users of those services. Both the user of the service and provider of the service need more transparency around the nature of services provided, the risks they represent, and the design and operational effectiveness of controls that mitigate those risks. In many cases, SSAE 16 is a proper report for service providers. In many cases, it is not – each situation needs to be carefully assessed by both the user of the services and the provider of services, so that any risk management program undertaken makes good business sense to all, rather than going through the motions of providing a report that serves to complete a checkmark.

Along with the release of SSAE 16, the AICPA is taking steps to increase awareness of their Trust Services Principles & Criteria program (“Trust Services.”). Trust Services is often applicable for service providers who do not directly impact their users’ financial controls, but are of such an importance to their users (and prospective users), that the users would benefit from receiving an attest report prepared by an independent CPA with expertise on technology and process controls. Trust Services covers risk dimensions such as Security, Confidentiality, Privacy, Processing Integrity, and Availability. Trust Services includes extensive criteria that represent controls and can be customized to incorporate specific controls from other frameworks such as ISO 27001, CoBIT, etc.

Click here for more information on SSAE 16

Click here for answers to Frequently Asked Questions about SSAE 16 (PDF File)

Click here for more information about Trust Services Principles and Criteria

For more information, contact Dan Schroeder.

>> HA&W News Archive

Quick Links

Staff | Careers | Pay Online
Peer Review | Today's Tax Alert
HA&W Chinese Web Site

eNewsletter
First Name:
Last Name:
Email:

Accounting Today - 2011 Top 100 Firms
an independent member of Baker Tilly International
Inside Public Accounting - 2011 Top 50 Firms


For more information, call 404-892-9651 (Atlanta, GA) or 941-955-4429 (Sarasota, FL) or send email to info@hawcpa.com. Atlanta, GA: Five Concourse Parkway Suite 1000 Atlanta, GA 30328. Sarasota, FL: 1990 Main Street, Suite 750 Sarasota, FL 34236. Copyright © Habif, Arogeti & Wynne, LLP. All Rights Reserved.