NEWS

SSAE 16 - Management's Responsibilities

Overview

By now, service organizations should be familiar with the changes required by Statement on Standards for Attestation Engagements No. 16 (SSAE 16)1 and have a plan to address those changes.

Part Two of our review on SSAE 16 focuses on one of the more significant (and possibly time-consuming) changes for your service organization. With SSAE 16, management must provide the service auditor with (1) a description of the organization’s “system” of internal controls, and (2) a written assertion for the SSAE 16 report.

System of Internal Controls

Statement on Auditing Standards No. 70 (SAS 70) requires the service organization to provide a description of its controls. Under SSAE 16, a service organization must provide a description of its system as designed and implemented. While the term “system” has several definitions, a useful definition is the controls, procedures, people, software, data, and infrastructure organized to achieve a specific objective.

There is no specific requirement under SSAE 16 stating how the system is actually documented and to what extent. However, service organizations should focus on financial reporting controls. We expect the scope, level, and format of the description to vary from one service organization to another, depending on the complexity of their operations.

We advise that service organizations work toward incorporating a comprehensive description including:

1. The service organization’s elements of internal control which include: (1) control environment, (2) control activities, (3) information and communication, (4) risk assessment, and (5) monitoring. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) “Internal Control – Integrated Framework” (1992) and “Enterprise Risk Management – Integrated Framework” (2004) are the most frequently used standards for designing, implementing, and monitoring internal controls and related risk management activities.
2. Description of services provided, including classes of transactions processed. If the service organization processes transactions, the description should help identify the user’s processes and accounts that may be affected. If the service organization provides information technology (IT) or infrastructure services, the description should include the general controls the user would consider significant.
3. Description of manual and automated procedures used in the transaction processing cycle. The cycle should include, as applicable, the transaction initiation, authorization, recording, processing, error correction, and reporting.
4. Description of other events and conditions that affect transaction processing and related services, such as IT controls. The Information Systems Audit and Control Association’s (ISACA) “COBIT Framework for IT Governance and Control” is an excellent resource for IT control objectives, control activities, and management and monitoring procedures.
5. Description of the process used to prepare financial reports and data provided to the user.
6. Description of controls performed by a subservice organization when the inclusive reporting method is used.
7. Description of the controls that are the responsibility of the user (often referred to as complementary user controls).
8. The time period the description covers along with a description of significant changes to the system that occurred during the audit period (Type 2 report only).
9. Start by reviewing the description of controls in your most recent SAS 70 report. You may find that the system is already well documented and few changes are needed, or you may find a major overhaul is necessary. Involve department supervisors in the process because they will have a more complete understanding of current operations and controls.

Written Assertion

Under SSAE 16, management must assert to the fair presentation of the description of the system, the suitability of the design of the controls, and, in the case of a Type 2 report, the operating effectiveness of the controls. A written assertion must be included in the SSAE 16 report. Similarly, subservice organizations must also provide an assertion in the SSAE 16 report when the inclusive method is used.

Public companies may already have a process in place to monitor and evaluate controls needed to provide this assertion. Other companies will need to identify the person(s) responsible for the assertion and implement processes that will enable management to provide the assertion.

One challenge for management is having enough information on the effectiveness of controls to provide that written assertion. The COSO framework provides guidance on monitoring activities as a means to assess the quality of the system’s performance over time. These monitoring activities can help provide the required information for management’s assertion.

The COSO framework describes two principles of monitoring: evaluations (both separate and on-going); and reporting deficiencies.

1. Separate evaluations typically refer to an organization’s internal audit function. Audits are planned and scheduled using a risk-based audit approach, performed by internal staff independent of the operations or outsourced to a competent third party, and results are reported directly to management or an audit committee. In some cases, the service auditor can rely on the work performed by internal audit to reduce its procedures and possibly the overall cost of the SSAE 16 audit. These opportunities should be discussed with the service auditor as soon as possible.
   
   We recognize that managers in small organizations may have direct hands-on involvement in daily operations and can recognize problems as they arise. On-going monitoring procedures may be a part of an organization’s normal activities. Other processes include:
   
   • Benchmarking or similar performance metric reporting
   • Control self-assessment questionnaires
   • Management oversight procedures
   • Reports to customers on service-level performance
   • Customer complaint or incident management programs
2. Reporting deficiencies are an important process of monitoring activities that should identify deficiencies that threaten operations and accurate financial reporting, systems for recording the deficiencies, and the process for reporting the deficiencies and corrective actions to the process owner, manager, senior management, and, in some cases, to the Board of Directors.
   
   On-going monitoring programs can be delegated to department supervisors with specific knowledge of the department’s activities. This information must make its way to top management and the person signing the assertion.
   
   IMPORTANT – For SAS 70 reporting cycles that have traditionally ended on June 30, service organizations must adopt the new standard and implement a process soon for management’s assertion of controls for their June 30, 2011, report.

We can help.

With over 15 years of SAS 70 examination experience, we can answer your questions and can help you achieve a seamless transition to the new standards through tailored readiness assessments, consulting, or audit engagements.

Please contact Mark Caiazzo for more information at 207.541.2321 or by email mcaiazzo@berrydunn.com.

BerryDunn, established in 1974, is the largest certified public accounting and management consulting firm headquartered in Northern New England. With offices in Maine and New Hampshire, we provide clients throughout the country with a wide range of accounting and consulting services.