SPACE
Reporting on Controls at a Service Organization
SS&G's professionals have worked with various service organizations, including those in the following industries:
- Health care claims processing
- Payroll processing
- Retirement plan processing
- Information technology-related services, including data hosting facilities
Statement on Standards for Attestation Engagements (SSAE) No.16 (Reporting on Controls at a Service Organization) has replaced SAS 70, impacting engagements effective for the years ended after June 15, 2011.
Notable changes include:
-
Service entity auditors must obtain a written assertion from the service organization's management about the subject matter of the engagement.
-
In the description of tests of controls, service entity auditors must identify control tests performed by internal auditors along with the service entity auditor procedures related to that work.
-
Service entity auditors are precluded from using evidence obtained in prior engagements about the satisfactory operation of controls in prior periods to provide a basis for reduction in testing in the current period engagement, even when the prior year engagement evidence is supplemented with evidence obtained during the current period.
Additionally, SSAE 16 includes modifications to service entity auditor examination reports to include certain required report elements, and it features enhanced guidance associated with the suitable criteria used in measuring, presenting, and evaluating subject matter.
Management of the service organization is required to prepare a description of its system to include, among other things, the nature of the service provided, how the service is performed, and service organization controls over the service and related control objectives.
SS&G's assurance professionals have extensive experience reporting on controls at service organizations. This reporting process examines, documents, and tests, as required, a variety of internal controls within service organizations to verify effectiveness.
Our role is to independently evaluate a service provider's internal control environment. Benefits to a service organization or third-party administrator include establishing credibility with potential customers and differentiating an organization from its competitors. Specifically, a "clean" report (no reported internal control deficiencies) communicates that the service organization has effective internal controls in place. The process can also be utilized by management as a way to identify opportunities for improvement in operational areas.
At SS&G, our team includes both certified public accountants and certified information technology professionals (CITP) who specialize in producing Type I and Type II reports. The CITP credential is globally recognized as a symbol of the unique ability to review an entity's information system and report on its operating effectiveness.
For more information, please read our SBN article.