Over the many years, while I have been working with companies as their Independent Service Auditor to help issue their SAS 70s / SSAE 16 reports, I have also been on the other side of the fence wherein I was part of the team responsible for the Audit of the Financial Statements of a company that used the SAS 70 / SSAE 16 report. I thought it may be useful to individuals reading this blog to get an understanding of how the SSAE 16 report links to an audit of financial statements more specifically under Sarbanes Oxley. Since SAS 70 as a standard is no longer in existence, I will refer to only SSAE through the rest of this blog.
The requirements and guidance for using a SSAE 16 report during the audit of financial statements of a company is contained in AU sec. 324, Service Organizations. When the new clarified SAS ‘Audit Considerations Relating to an Entity Using a Service Organization becomes effective (for audit periods ending on or after December 15, 2012), it will replace the guidance for user auditors currently located in AU sec. 324. It applies when, let’s say Company A (a.k.a. User Entity), obtains services from another organization (a.k.a. Service Organization) that are part of the Company A’s information system. If the Service Organization’s services are part of a Company A’s information system, then they are part of Company A’s internal control over financial reporting. Hence it becomes relevant that the financial statement auditor of Company A should include the activities of the Service Organization when assessing the risks of material misstatements of Company A’s financial statements.
Auditing Standard No. 5 (AS 5) – An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements specifies that besides obtaining an understanding of the controls at the service organization that apply to the company whose financial statements are being audited (Company A) the financial statement auditor must also obtain evidence that the controls that are relevant to the auditor’s opinion are operating effectively. One of the ways in which this can be done is by obtaining a service auditor’s Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls (Type 2 SSAE 16 Report).
A few important aspects for the financial statement auditor (a.k.a. User Auditor) must consider before placing reliance on a SSAE 16 Report are:
- Is the time period covered by the tests of controls adequate given the relation to the audit of the financial statements?
- Will the SSAE 16 report be made available in a timely manner to provide User Auditors enough time to understand the SOC1 report content and determine the impact upon the audit of financial statements?
- Is the scope of the examination and applications covered, the controls tested, and the way in which tested controls adequate / appropriate and relate to the company’s controls?
- Do the results of the tests of controls and the service auditor’s opinion on the operating effectiveness of the controls provide the information needed by the User Auditor?