Goodbye SAS 70; Hello SSAE 16

Apparently I missed this big change. Statement on Auditing Standards No. 70 (SAS 70) was a widely used reporting tool for service organizations all throughout the globe. However, the migration towards more globally accepted accounting principles has put SAS 70 in the rearview mirror. Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization completely replaces SAS 70, effective for reports with periods ending on or after June 15, 2011.

SOC 1: SSAE 16 Type 1 Examination
A SSAE 16 Type 1 examination is a report on management’s description of a service organization’s system and the suitability of the design of controls.

SOC 1: SSAE 16 Type 2 Examination
A SSAE 16 Type 2 examination is a report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.

One of the biggest differences introduced by SSAE 16 is that the service auditor is required to obtain a written assertion from management of the organization about the matters the CPA is reporting on. The organization’s management provides the auditor with a written assertion to be included in the SSAE 16 examination report. The written assertion states the following:

  • Management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date (or for a Type 2 – throughout the specified period);
  • The controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives as of the specified date (or for a Type 2 – throughout the specified period);
  • The controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives (Type 2 only).

I’ll need to dive deeper into the changes. For now, I need to make sure I say “SSAE 16” instead of “SAS 70”.

Sources:

New Custody Rules for Investment Advisers

sec-seal

The Securities and Exchange Commission proposed rule amendments as part of their Open Meeting on May 14, 2009. They talked about the proposed rules, but have not actually made them available. It is hard to judge the potential impact of the rules with being able to see them.

According to the press release and the speech by Mary Schapiro here is a summary of the proposed rules:

  • All registered investment advisers with custody of client assets will undergo an annual “surprise exam” by an independent public accountant to verify those assets exist.
  • If you are an investment advisers whose client assets are not held or controlled by a firm independent of the adviser, you will be required to obtain a SAS-70 report that describes the controls in place, tests the effectiveness of those controls, and provides the results of those tests.
  • You would be required to disclose in public filings with the SEC the identity of the independent public accountant that performs your “surprise exam.”
  • The proposed rules would require that all custodians holding advisory client assets directly deliver custodial statements to the clients instead of through the investment adviser, and that advisers opening custody accounts for clients instruct those clients to compare account statements they receive from the custodian with those received from the adviser.

According to Commissioner Schapiro: “We are taking this action in response to major investment scams — such as Madoff — and many other potential Ponzi schemes.”

Public comments on the proposed rule amendments must be received by the Commission within 60 days after their publication in the Federal Register.

References: