As you might imagine, the Type II is more thorough and requires more time and effort. The type of assessment report you need I or II will be dictated by your customers and prospects; they know how your services impact their operations, which in turn determines the type of report they will require of you.
They will review the control objectives and control activities at your company to verify that they exist and are designed as described.
The auditors will obtain samples of artifacts like documents or reports to support each control activity. For Type II assessments, the auditors will test the effectiveness of the controls, to determine that they can reasonably meet the control objectives they were designed to meet.
SSAE 16 also responds to the convergence of accounting standards between those in the U. Should your customers require ISAE , your auditor can advise whether you need a separate report for that standard.
Technically, you do not receive a certification under these standards. Make sure you are ready! Learn what banks are looking for when they prepare to make loans. Our guide covers what business owners need to know when they prepare to borrow.
Download eBook. Austin Office: Fax Number: Login Contact Us. Business Resource Center. A collection of articles for business owners and executives. Amanda Finch Journyx Amanda Finch is a software industry veteran and a leading expert in alliance strategy. Finch is the Director of Strategic Alliances at Journyx, the first company to provide Web-based time-tracking, project accounting and resource management solutions that guide customers to per-person, per-project profitability.
Finch is also CEO of ADV Group, a consulting firm that helps software companies manage alliance portfolios to deliver real competitive advantage. As a Certified Project Manager, she has authored numerous articles on project and program management for online and print publications. She has also contributed to law journals and other publications on the topic of regulatory compliance for software-service providers and consumers. Guide to Business Borrowing Learn what banks are looking for when they prepare to make loans.
SSAE 18 is the current set of standards and guidance for reporting on organizational controls and processes at service organizations. It supersedes SSAE 16 and is intended to update and simplify previous standards. Among other changes, SSAE 18 additionally requires that service organizations identify subservice organizations and provide risk assessments to auditors.
Not only does the SSAE 16 provide a more comprehensive and descriptive assessment of controls, it also allowed user organizations to appropriately assess the reliability of the controls at a service organization.
When the AICPA made the decision to replace the SAS 70 , they thought it more appropriate for a service organization audit to be an examination of a system, which is different than an audit of financial statements. The SSAE 16 report requires a description of a system along with a written assertion by management on the design and operating effectiveness of the controls being reviewed. The SAS 70 simply provided a description of controls and did not include any type of management assertion.
The SSAE 16 has been around long enough now to have gained popularity and familiarity by both service organizations and their clients. However, we still receive a fair amount of questions regarding the purpose of an SSAE 16 audit report, the components, and the benefits of a service organization obtaining an SSAE 16 audit report. An SSAE 16 report allows organizations to assess the risks associated with doing business with particular service providers. They are similar in many ways, but the key difference is the period of time covered by the report.
There are several benefits associated with obtaining an SSAE 16 audit report. SSAE no. Many companies function more efficiently and profitability by outsourcing certain tasks or functions to other organizations that have the personnel, expertise or equipment to accomplish the tasks. When the claims processing function is outsourced, health plan customers are instructed to submit their claims directly to the claims processor, which processes the claims based on rules established by the insurers, for example, rules related to eligibility and the amount to be paid for each service.
Even though this information is generated by the claims processor, the insurers are responsible for the accuracy of that information because it is included in their financial statements. The auditors auditing the financial statements of user entities are known as user auditors. Before detailing some of the changes brought about by SSAE no. In some cases, management of a user entity is able to monitor the quality of the data it receives from a service organization by establishing controls that enable it to prevent, or detect and correct, misstatements in its financial statements resulting from errors in the data received from a service organization.
This would be the case if the user entity initiates and records the transactions it submits to the service organization for processing. In other cases, the user entity relies on the service organization to initiate, execute and record the transactions.
An example is a user entity that grants a broker-dealer authority to purchase and sell investments on its behalf based on written guidelines provided by the user entity a discretionary account. In these circumstances, the broker-dealer is not required to obtain approval from the user entity before initiating each transaction because the broker-dealer has been authorized by the user entity to initiate transactions. The broker-dealer usually provides the user entity with trade confirmations as well as periodic statements to inform the user entity of the transactions that have occurred, its holdings at a specified date, their value and the earnings on the investments.
One approach a user auditor may take to obtain information about controls at a service organization that affect the data provided to user entities is to visit the service organization and test its controls. To avoid this problem, a service organization may engage a CPA to report on controls at the service organization that affect the information provided to user entities and included in their financial statements.
The report enables user auditors to obtain evidence about the quality and accuracy of the information provided to the user entities. In a type 1 report , the service auditor expresses an opinion on whether the description is fairly presented that is, whether it describes what actually exists and whether the controls included in the description are suitability designed. Controls that are suitably designed are able to achieve the related control objectives if they operate effectively.
Controls that operate effectively do achieve the control objectives they were intended to achieve. One new requirement in SSAE no. In addition to the required management assertion, some of the other substantive changes introduced in SSAE no. The new SAS for user auditors finalized in May expands on how a user auditor audits the financial statements of a user entity to enable the user auditor to fulfill two important requirements of the risk assessment standards: 1 to obtain an understanding of the entity, including its internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement and 2 to design and perform further audit procedures responsive to those risks.
The effective date of the SAS is for audits of financial statements for periods ending on or after Dec. That decision was made because the guidance for service auditors and for user auditors in AU section is so intertwined that, if the guidance for service auditors were deleted, the guidance for user auditors would no longer be meaningful. A notation will be placed at the beginning of AU section informing readers that the guidance for service auditors has been superseded by SSAE no.
The new SAS does not contain any significant changes for user auditors. When the new SAS becomes effective, it will replace the guidance for user auditors currently in AU section
0コメント