|
SSAE 16 contains 9 deviations from the ISAE 3402 framework, at a high level include:
A high level explanation per the SSAE 16 Guidance:
(1) access to all information, such as records and documentation, including service
level agreements, of which management is aware that is relevant to the
description of the service organization’s system and the assertion;
(2) additional information that the service auditor may request from management for
the purpose of the examination engagement;
(3) unrestricted access to personnel within the service organization from whom the
service auditor determines it is necessary to obtain evidence relevant to the
service auditor’s engagement; and
(4) written representations at the conclusion of the engagement
Basically, you must give up anything needed by the service auditor that will permit them to attest to “Management’s description of the service organization’s system”, the main change associated with SSAE 16.
The AICPA’s Auditing Standards Board (ASB) released Statement on Standards for Attestation Engagements 16 (SSAE 16), Reporting on Controls at a Service Organization.
In SSAE No. 16, an auditor who audits the financial statements of a user entity is known as a user auditor. In auditing a user entity’s financial statements, the user auditor needs to obtain evidence to support assertions in the user entity’s financial statements that are affected by information provided by the service organization. In some cases, the user entity is able to implement controls at the user entity over the service performed by the service organization. In other cases, the user entity relies on the service organization to initiate, execute, and record the transactions. In the latter case it may be necessary for a user auditor to obtain information about the effectiveness of controls at the service organization that affect the quality of the information provided to user entities. The user auditor could visit the service organization and test the service organization’s controls that are relevant to the user entity’s internal control over financial reporting . However, because many entities use the service organization, a number of user auditors may visit the service organization, require the assistance of service organization personnel, and disrupt the business of the service organization.
SSAE 16 is a standard that addresses reports on the description, design and operating effectiveness of controls related to outsourced services performed by service organizations. Outsourced services can vary from a service organization assisting with processing transactions, performing one or more business or IT functions or hosting the IT environment for a user entity.