As a CPA with 20+ years of experience, I'm a big supporter of accountability and company audits. (See a related story on page 10 on benefit plan audits.) Early in my career as an auditor, I made a living by ensuring companies said what they did and did what they said. The Statement on Auditing Standards No. 70: Service Organizations, commonly known as the SAS 70, has been an industry staple since its issuance in 1992 and a requisite for service providers to test internal controls.
However, effective June 15, SAS 70 will be replaced by Standards for Attestation Engagements SSAE No. 16, already in use by some companies. And while SSAE 16 doesn't roll off the tongue quite like SAS 70, I am quite happy to bid SAS 70 farewell.
For HR/benefits professionals who manage employee benefit programs (and who typically lack a background in auditing), wading through an SAS 70 report can be cumbersome. Unfortunately, that's not likely to change with the SSAE 16. That said, my goal is to help benefits professionals better understand what SSAE 16 is, why they'll want to review one from current or prospective service providers, what key information to look for and what to do with that information.
No longer just a check in the box
From the beginning, there were complaints about SAS 70, which requires auditors to assess control risk provided by management with a single, overall evaluation. The result was that employers had selective information on which to make risk assessments, based on specific controls in place by their service provider.
Perhaps SAS 70's biggest weakness is that an auditor reviews only the controls selected by the service provider. At a minimum, important controls may not be tested, and the overall opinion will be applied to unreviewed controls. In a worst case scenario, a service organization could intentionally eliminate controls from the audit review where there are known weaknesses, thus producing a misleading review.
While holes in an SAS 70 report can signal a red flag, auditors have been limited in raising those flags, and the mere existence of an SAS 70 often signifies that a service provider has adequate control objectives and activities for information technology and related processes - even if weak ones were not tested. In short, the service audit has been treated by some employers as simply a check in a box.
The introduction of SSAE 16 stemmed from the need to update the U.S. service organization reporting standard to mirror and comply with the new international service organization reporting standard known as ISAE 3402. In a global economy, and with increased reliance on outsourcing, third-party audits are critical to reporting on controls at service organizations. And, whether it's an SAS 70, SSAE 16 or some other service audit report, many companies won't use a service provider without a clean report in place.
What's different about SSAE 16?
Overall, SSAE 16 is more stringent than SAS 70, although many of the elements of SSAE 16 are quite similar, including the use of Type I and Type II reports. Type I reports provide a review for a single point in time; Type II reports cover a broader period, e.g., six months. Type II reports are preferable.
One difference frequently cited is that SSAE 16 is an "attest standard," as opposed to an "audit standard" as is the SAS 70. While technically different, from a practical standpoint this has little impact on the intent or use of the report. However, there are several areas of greater significance to employers - specifically, HR professionals:
1. Written assertion by management. Service providers are required to provide a written assertion that states the control system is fairly represented, suitably designed and implemented, controls were properly designed to achieve the stated control objectives and that the controls operated effectively. The service auditor will review and attest against this assertion. With this increased responsibility by management to make a public declaration, employers can be more confident that relevant control systems and processes are represented in the report. It greatly minimizes the risk of "not knowing what you don't know."
2. Expanded description of control system and process. This description will have management's assertion that control environment risk-assessment processes, information and communication systems (including relevant business processes), control activities and monitoring activities relevant to the services provided were presented fairly and operating effectively. Because SSAE 16 includes management's assertion, a service auditor's review and opinion may be viewed as a stronger assessment than SAS 70.
3. Risk identification. Service providers will identify risks that threaten the achievement of control objectives and evaluate whether the described controls sufficiently address the associated risk to achieving the objectives. This includes instances where control objectives were not achieved due to intentional actions by the service organization.
Under SSAE 16, if the service auditor identifies deviations that could be the result of an intentional act by an employee, the auditor is required to dig deeper to determine whether the description of the service organization's system is fairly presented and if the controls are properly designed or operating.
Potential red flags in a service audit are more easily identified and areas of concern receive more in-depth examination. Findings can be discussed with a potential service provider or industry consultant, and compared against other prospective service providers.
4. Subservice organizations. Guidance for service providers on addressing outsourced services, such as data hosting, is clearly defined. Service providers may opt to use an "inclusive" method, where they provide an assertion on outsourced services along with their own services. Or, then can choose the "carve-out" method, where the nature and functions of the subservice organization are described, but associated control activities are not included.
Employers should be aware of information on all relevant control systems and processes, regardless of whether a function is outsourced to third-party service provider. Benefits professionals may want to discuss with service providers how they monitor controls for outsourced services. For subservice organizations that are "carved out," the service provider and its users will want to be assured that they have an SSAE 16 of their own.
Another positive aspect of SSAE 16 is its clear statement regarding use of the report being limited to "customers of the service organization's system during some or all of the period covered by the service auditor's report." So, while an employer can't rely on an SSAE 16 report for its own financial reporting or projections, there is value in requesting an SSAE 16 from a potential service provider.
User control considerations
Perhaps the most important part of an SSAE 16 (or any service audit) for employers is the section on User Control Considerations. While not required (and may be labeled differently depending on the service auditor), strong SSAE 16 reports include assumptions made by the service provider about an employer and the expectations about the employer's role in the service provider's control systems environment.
For example, if the control is to provide reasonable assurance that only authorized changes to systems' data are made by the user organization, the service provider may assume that the user organization will notify them in a timely manner of changes in the list of persons authorized to make updates. If your company is unable or unwilling to participate in this process, then the entire control becomes faulty. But without a clear understanding of the service provider's assumptions, this won't be apparent until there's a problem - a problem that could have been avoided. Decisions to contract with a service provider should be made with a clear understanding and consensus on assumptions made by the service provider relevant to control systems and processes.
Review all user control considerations carefully with management who oversee associated areas of control systems and processes referenced in this section to identify any "assumption gaps." These gaps should be the focus of a dialog with the service provider or project consultant before making a decision to move forward with the service provider. Failure to do so can result not only in a service problem for your company, but could also affect your income statement and balance sheet. If you're unable to identify these assumptions within the report, inquire about them.
Why require an SSAE 16?
The reasons to ask for an SSAE 16 report are numerous, not the least of which is that a Type II SSAE 16 ensures compliance with the Sarbanes Oxley Act for public companies. Regardless, both public and private companies can have greater confidence in a service provider that actively audits its control systems and processes.
In today's wired world, news of a corporate data security breach is commonplace. While a SSAE 16 can't guarantee this won't happen, it can increase your assurance that your service provider knows how to protect sensitive data.
An SSAE 16 will also give you a good sense of understanding of the service provider's processes. And, while changes do occur, past behavior is often indicative of future behavior.That said, verification of controls obtained in prior service audits regarding satisfactory operation of controls during previous time periods are not sufficient to reduce the amount of testing performed under an SSAE 16. An internal auditor can review the report to identify any areas of concern.
Further, requiring an SSAE 16 from current and prospective service providers that support key employee benefit functions is an important first step. Remember, however, not all service audits are equal. When selecting a service provider, inquire about their procedure for evaluating the experience of prospective auditors and also the breadth of the audit. -E.B.N.
Rhonda Marcucci is the founder of GruppoMarcucci, a nationally recognized HR benefits administration technology outsourcing boutique consulting practice. Marcucci is a 25-year veteran financial and operations executive with extensive experience in finance, accounting, administration, strategic planning, information systems, sales and marketing, and operations.