Financial Services

SAS 70 is gone??? Why can’t I get a SSAE 16?

In the past two weeks, we have been asked my multiple clients to explain to their customers that the SAS 70 audit standard was superseded as of June 15, 2011.  Our clients were faced with frustrated user organizations that were looking for their SAS 70 audit report.  We had to not only provide our literature and white papers outlining the audit standard has been superseded but provided information directly from the American Institute of CPAs (AICPA) to the same effect. It even got to the point where I told the user organization to call a national accounting firm in their city to confirm what we have said along with the AICPA.   This frustration from user organizations can be expected when the SAS 70 audit requirement lies in the hands of a contracting officer at the user organization.  The communication gap between the legal or vendor relations department and the accounting departments at an organization sometimes is wide and must be bridged.  When the exposure draft of SSAE 16 was released years ago, I recall preaching to clients that they should begin speaking with their customers regarding the change and update contracts with customers as well as vendors to reflect the eventual vanishing of SAS 70.  We continue to encourage clients as we move into September, which is typically “SSAE 16 busy season, “ that our clients should contact their customers and educate them regarding the change and utilize A-LIGN as a resource to provide additional literature where necessary to explain the new standard.

Read More

SSAE 16 Benefits to Service Organizations

Service organizations receive significant value from having an SSAE 16 examination performed.  An SSAE 16 report with an unqualified opinion issued by an independent CPA firm differentiates your company from your peers by demonstrating that your company has achieved a defined set of control objectives relevant to your specific industry, your controls are effectively designed, and, in the case of a Type 2 report, that the controls are operating effectively over a period of time.

Read More

SOC 2 and Subservice Organizations

SOC 2 AND SUBSERVICE ORGANIZATIONS After a review of the new SOC 2 guide, Reporting on Controls at a Service Organization, I noticed that the responsibilities of the service auditor, service organization and subservice organization all seem to have increased when it comes to how subservice organizations may be considered / treated under the new standard.  Trying to get all three parties on the same page is a daunting feat in itself and I wanted to take a moment to share some of the highlights. The inclusive and carve-out method can still be used for subservice organizations just as in SOC 1.

Read More

SSAE 16 REPLACING SAS 70

ADVANTAGE TO THE COLLECTIONS INDUSTRY – AGENCIES, ATTORNEYS, VENDORS, CREDITORS AND ASSET BUYERS The AICPA’s Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization was issued in April 2010.  As of June 15, 2011, the SSAE 16 effectively replaces the long standing SAS 70 as the U.S. standard for reporting on a service organization's internal controls. SSAE 16 is also referred to as Service Organization Control (SOC) Reporting 1.  The focus of SSAE 16 is on controls at a service organization likely to be relevant to user entities’ internal control over financial reporting.  The SAS 70 has been used as the de facto standard for the collections industry for close to 20 years now.  For service organizations that currently have a SAS 70 service examination (“SAS 70 audit”) performed, changes will be required to effectively report under the new SSAE 16 standard.

Read More