John Funk, SNR Denton
Scott Graham and Hunter Henley, Protiviti
Many outsourcing contracts have a hard-coded requirement that the service provider conduct periodic SAS70 audits. A new audit standard for service organizations adopted recently makes the SAS70 audit outdated. Outsourcing customers should review and adjust their outsourcing contracts to contemplate the new standard.
Congress enacted the Sarbanes-Oxley Act of 2002 (the “Act” or “SOX”) after a wave of financial reporting abuses by major public companies. Section 404 of the Act requires management teams of U.S. public companies to include information in their annual filings about the adequacy and effectiveness of internal controls over financial reporting. In response to independent auditors’ failure to uncover and report such abuses, the Act also established the Public Company Accounting Oversight Board (“PCAOB”) to provide independent oversight of and standards for public accounting firms that provide audit services. Some companies began to outsource certain accounting functions to help alleviate SOX requirements, and many companies had outsourced or would outsource functions directly related to financial reporting (such as operation of accounting systems), but outsourcing did not relieve management’s obligations to evaluate controls – outsourced or not - over financial reporting. Therefore, public companies that outsource functions related to financial reporting continue to grapple with ways to include and evaluate financial reporting and information technology controls their service providers perform. To help management evaluate controls within outsourced functions, the PCAOB eventually adopted the American Institute of Certified Public Accountants (AICPA) preexisting Statement on Auditing Standard No. 70, or SAS70, as a vehicle to assist management comply with SOX requirements.
Over time, partly due to pressure from their customers, many US-based outsourcing service providers, and some international service providers, began conducting an annual SAS70 audit of relevant operations and locations as a matter of course. In the mid-2000’s, well-advised publicly-held outsourcing customers began to require service providers to conduct an annual SAS70 audit and provide the report to the customer in their outsourcing agreement. It also became more common for practitioners of public accounting to attest to matters in addition to financial reporting controls within SAS70 reports. Most commonly, practitioners would also attest to compliance with privacy laws, such as Gramm-Leach-Bliley (GLB) and the Health Insurance Portability and Accountability Act (HIPAA). Coincidentally, outsourcing customers became more concerned about their service providers’ compliance in such areas.
To help reconcile the market’s demand for attestation beyond financial reporting and SAS70’s scope limitations, the AICPA developed the Statement on Standards for Attestation Engagements 16 (SSAE16) and made it effective for reports on controls at service providers for periods ending on or after June 15, 2011. According to SSAE16, there are three kinds of “Service Organization Control” (SOC) examination reports: SOC 1, SOC 2, and SOC 3.
A SOC 1 report covers the service provider’s controls relevant to the customer’s internal control over financial reporting. It provides information and the CPA’s opinion about the customer’s financials statement and SOX controls to the customer’s auditor.
A SOC 2 report covers the service provider’s controls relevant to security, availability, processing integrity, confidentiality and privacy. It provides information and the CPA’s opinion about such controls to the management of the service provider and to the management of its customers.
A SOC 3 report covers the same ground as the SOC 2 report, but provides an interested party (that does not have the need for the level of detail provided in a SOC 2 report) with the CPA’s opinion about the service provider’s controls relevant to security, availability, processing integrity, confidentiality and privacy. As such, the service provider that undergoes a SOC 3 report can elect to have its name added to the AICPA’s website, along with the SSAE16 SOC 3 seal, for interested parties to view.
Each SOC report is available as a Type 1 or a Type 2 report. If the service provider elects to undergo a Type 1, the service auditor will only opine on the design of the service provider’s controls as of a specific date. In a Type 1, the service auditor is essentially saying, “In our opinion, as of this date, the service provider has designed controls that will reduce its customer’s risk to an acceptable level.” By contrast, the Type 2 report will state the auditor’s opinion on the design of the service provider’s controls as well as an opinion on if those controls actually operated as described over a specified period. Usually, the Type 2 report will cover one fiscal year. Additionally, service provider management must assert to the performance of the controls in the SSAE16 report and specify the basis on which it can make its assertion.
Many outsourcing contracts entered into over the past several years have a hard-coded requirement for an annual SAS 70 Type II audit, which is an outdated standard that is no longer available. Outsourcing customers should adjust these contracts to contemplate the new standard. However, it is not as easy as plugging in “SSAE No. 16” for “SAS 70.” An outsourcing customer should:
review its existing outsourcing contracts;
work with its internal auditors and external auditor to determine if it needs a SOC 1, SOC 2, or a SOC 3, and which type of report (Type 1 or Type 2), in the future, taking into account the type of services being performed by the service provider, the customer’s reporting requirements and the expanded scope of a SOC 2 or SOC 3 audit beyond financial reporting controls; and
work with service provider to reflect such changes in the agreement.
There are few differences between SAS70 and SSAE16, but the differences are significant. SSAE16 places more emphasis on risk and management’s oversight than its predecessor. How smoothly an organization transitions to the new standard will likely depend on how well the organization understands controls, monitoring, and frameworks. As such, a transition strategy will likely prove effective and beneficial.