The NASPP Blog

As of June 15, 2011, SAS 70 is being replaced as the U.S. auditing standard for service organizations. Today, I explore some of the background for a SAS 70 report and why it’s being superseded.

Acronym Soup and Background Information

The Auditing Standards Board (ASB), which is a part of the American Institute of Certified Public Accountants (AICPA), issues guidance for auditors including the Statements on Auditing Standards (SAS). SAS No. 70 (SAS 70) is specifically guidance for auditors to use when “auditing the financial statements of an entity that uses a service organization to process certain transactions.” (See the AICPA site for more information.)

Section 404 of the Sarbanes-Oxley Act requires public companies to report on the effectiveness of the internal controls relating to their financial statements. The Public Company Accounting Oversight Board (PCAOB) issued Auditing Standard No. 2 in 2004–superseded by Auditing Standard No. 5 in 2007–which identified how the independent auditor evaluating a public company may rely on a “service auditor report” like the SAS 70 Type 2 report. The process breaks down like this:

An independent auditor for an issuing company must evaluate the controls that are in place to ensure the accuracy of financial reporting. If that company outsources administration processes that could impact financial reporting, the independent auditor should evaluation the controls in place at the service provider as well. A SAS 70 report can provide the necessary opinion of not only that the controls are suitably designed (i.e., a Type 1 report), but also that service company has effectively maintained each of those controls over a period of time (i.e., a Type 2 report). The issuing company auditor is, therefore, able to review the information in the Type 2 SAS 70 report instead of assessing the service provider’s internal controls directly. This saves a huge amount of time, money, and energy for both the issuing company and the service provider. The SAS 70 report has become a standard request for companies evaluating or using third-party stock plan administration service providers.

SSAE 16

The Standards on Standards for Attestation Engagements No. 16 (SSAE 16) replaces SAS 70 as of June 15, 2011. The new standard is intended to bring U.S. auditing practices more in line with the international standard, ISAE 3402. Like SAS 70, SSAE 16 consists of a Type 1 and a Type 2 evaluation, Type 2 being the necessary follow-up to determine if controls are being effectively performed over time. Companies with a current Type II SAS 70 report may transition directly to the Type 2 SSAE 16 report. You can tell the essential difference between SAS 70 and SSAE 16 in their names alone. SAS 70 is an audit standard that requires only the auditor’s assessment of controls. SSAE is an attestation standard that requires the company to also demonstrate the effectiveness of controls. SSAE 16 requires management at a service organization to provide not just a description of the controls in place, but of the system as a whole. (SAS 70 only requires a description of controls.) In addition, management must attest to the suitability of the system in a written statement that includes a description of the criteria used to make this assertion and the risks that could threaten the company’s ability to effectively maintain the system.

A Little Appreciation, Please

If you’re at an issuing company and the SAS 70 report is something you ask for–or better yet, something you automatically receive–from your stock plan administration service providers, I think it’s time to take a moment to appreciate the effort that’s going to go into the new standard. When you do get your hands on that SSAE 16 report, give it a good look before you pass it on to your auditors. It will give you some serious insight into what controls your service provider feels are essential, which can help you design some of your own internal controls. It can also shed light on what procedures you may need to update in order to help your service provider achieve the control objectives in the report, which in turn helps your company get through that portion of your audit.

-Rachel