Accounts Receivable Management & Collections

The Value of SOC 2

If your service organization processes customer transactions that impact financial reporting, such as payroll or other financial reporting functions, you are more than likely familiar with the SSAE 16 SOC 1 report and its predecessor the SAS 70. Your customer’s auditors request the SAS 70, now the SSAE 16, every year to fulfill your customer’s year-end financial statement audit requirements. You gladly undergo the annual SSAE 16 audit so you have the report ready for your customers each year. One SSAE16 audit is worth keeping an army of customer auditors from knocking on your door asking for the same evidence of internal controls. More than likely the SSAE 16 is also required to meet contractual obligations to your customers. So to reduce the number of audits you have to endure each year, to meeting contractual obligations and also to get an independent evaluation of your internal controls, you engaged a CPA firm to perform the SSAE 16 audit.

Read More

Cloud Computing and SOC 2

As more businesses begin to shift their interests to Cloud Computing, there are concerns regarding security-related risks.  First, let’s discuss the “Cloud”. Cloud computing is a new way of delivering computing resources, not a new technology.  Cloud computing providers give end users the ability to access applications via the internet.  As Cloud computing is achieving increased popularity, security concerns have become paramount with the adoption of this new computing model.  The effectiveness and efficiency of traditional protection mechanisms are being reconsidered as the characteristics of this innovative deployment model differ widely from those of traditional architectures.

Read More

SOC 1 / SSAE 16 Case Study for Payroll Administration Services

Case Study - SSAE 16 (SOC 1) for Payroll Administration Services Industry Organizations that directly provide payroll administration services to your clients or are a vendor associated with companies that provide payroll administration services such as electronic funds transfer, payroll debit cards, payroll software, tax filing, or time and attendance and as such have a direct or an indirect impact on the end customers’ financial statements.

Read More

Value of the SOC 2 for Service Organizations

If your service organization processes customer transactions that impact financial reporting, such as payroll or other financial reporting function, you are more than likely familiar with the SSAE 16 SOC 1 report and its predecessor the SAS 70. Your customer’s auditors request the SAS 70, now the SSAE 16, every year to fulfill your customer’s year-end financial statement audit requirements. You gladly undergo the annual SSAE 16 audit so you have the report ready for your customers each year. One SSAE16 audit is worth keeping an army of customer auditors from knocking on your door asking for the same evidence of internal controls. More than likely the SSAE 16 is also required to meet contractual obligations to your customers. So to reduce the number of audits you have to endure each year, to meeting contractual obligations and also to get an independent evaluation of your internal controls, you engaged a CPA firm to perform the SSAE 16 audit.

Read More

SOC 2 – Not your prior year SAS 70

After a 20 year reign as the service auditor’s report, the SAS 70 was retired this summer with much fanfare. After being used to communicate the design, implementation and operating effectiveness of controls at every type of service organization imaginable, the AICPA published new standards that better align the type of service organization and service provided to the report used to communicate the design, implementation and operating effectiveness of controls to the user of the report.

Read More

SSAE 16 – What is the Minimum Period for a Type 2 Report?

While working with clients to scope their SSAE 16 engagements, many a times we are asked what is the minimum coverage period for a Type 2 SSAE 16 examination.  Let me try and answer that questions and draw some clarity to it. The SSAE 16 standards require a minimum of a six month reporting period.  Paragraph A42 of Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801), states that a type 2 report that covers a period of less than six months is unlikely to be useful to user entities and their auditors.

Read More

SAS 70 is gone??? Why can’t I get a SSAE 16?

In the past two weeks, we have been asked my multiple clients to explain to their customers that the SAS 70 audit standard was superseded as of June 15, 2011.  Our clients were faced with frustrated user organizations that were looking for their SAS 70 audit report.  We had to not only provide our literature and white papers outlining the audit standard has been superseded but provided information directly from the American Institute of CPAs (AICPA) to the same effect. It even got to the point where I told the user organization to call a national accounting firm in their city to confirm what we have said along with the AICPA.   This frustration from user organizations can be expected when the SAS 70 audit requirement lies in the hands of a contracting officer at the user organization.  The communication gap between the legal or vendor relations department and the accounting departments at an organization sometimes is wide and must be bridged.  When the exposure draft of SSAE 16 was released years ago, I recall preaching to clients that they should begin speaking with their customers regarding the change and update contracts with customers as well as vendors to reflect the eventual vanishing of SAS 70.  We continue to encourage clients as we move into September, which is typically “SSAE 16 busy season, “ that our clients should contact their customers and educate them regarding the change and utilize A-LIGN as a resource to provide additional literature where necessary to explain the new standard.

Read More

SSAE 16 Benefits to Service Organizations

Service organizations receive significant value from having an SSAE 16 examination performed.  An SSAE 16 report with an unqualified opinion issued by an independent CPA firm differentiates your company from your peers by demonstrating that your company has achieved a defined set of control objectives relevant to your specific industry, your controls are effectively designed, and, in the case of a Type 2 report, that the controls are operating effectively over a period of time.

Read More

SOC 2 and Subservice Organizations

SOC 2 AND SUBSERVICE ORGANIZATIONS After a review of the new SOC 2 guide, Reporting on Controls at a Service Organization, I noticed that the responsibilities of the service auditor, service organization and subservice organization all seem to have increased when it comes to how subservice organizations may be considered / treated under the new standard.  Trying to get all three parties on the same page is a daunting feat in itself and I wanted to take a moment to share some of the highlights. The inclusive and carve-out method can still be used for subservice organizations just as in SOC 1.

Read More

SSAE 16 REPLACING SAS 70

ADVANTAGE TO THE COLLECTIONS INDUSTRY – AGENCIES, ATTORNEYS, VENDORS, CREDITORS AND ASSET BUYERS The AICPA’s Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization was issued in April 2010.  As of June 15, 2011, the SSAE 16 effectively replaces the long standing SAS 70 as the U.S. standard for reporting on a service organization's internal controls. SSAE 16 is also referred to as Service Organization Control (SOC) Reporting 1.  The focus of SSAE 16 is on controls at a service organization likely to be relevant to user entities’ internal control over financial reporting.  The SAS 70 has been used as the de facto standard for the collections industry for close to 20 years now.  For service organizations that currently have a SAS 70 service examination (“SAS 70 audit”) performed, changes will be required to effectively report under the new SSAE 16 standard.

Read More