SIGN UP NOW!
It's FREE!

Create a Profile and Start Networking with HR Professionals
Register Now - It's Free Registration info
 
Member Content
Blogs | Questions | Files | Events | HR Groups | Members


  • Upcoming Events
  • Past Events
  • Public Events

More Virtual Conferences

Upcoming Conference
24 April - 25 April 2014

Rewards and Recognition

Upcoming Conference
29 April - 30 April 2014

Quality of Hire

Upcoming Conference
5 May - 6 May 2014

Performance Management

My Events
View and edit your current events.
Add Event

Click the "add event" button to create a listing for your event

Advertise Here

Preparing for New Service Organization Control Standards

Topic:
Preparing for New Service Organization Control Standards
Date:
July 11, 2012 at 11:00 - 12:00 PM ET
Presenters:
Sean Widdoes, Senior Consultant(A-lign CPAs)
webcastImgVirtual
Description
The 21st Century Version of SAS 70…..SSAE 16
Overview of the Standard
In April 2010, the AICPA Auditing Standards Board issued the long awaited Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. The attestation standard was chosen as a result of CPAs providing attestations on subject matter other than the fairness of the presentation of financial statements. The effective date for SSAE 16 is June 15, 2011; however, earlier implementation is permitted.
Similar to SAS 70, there remain two types of SSAE 16 audits. A Type 1 report is known as a report on management’s description of a service organization’s system and the suitability of the design of controls. A Type 2 report is a report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.
Management will be called upon to describe their service organization’s system in the report. The description will need to include detail such as the processes describing how transactions are processed and reported to user organizations, the specified control objectives and controls designed to achieve those objectives, along with additional aspects of internal control such as control environment, risk assessment, information and communication systems, control activities and monitoring controls. In the case of a Type 2 report, management should include relevant details of changes to the service organization’s system during the period covered by the description.
Furthermore, management will need to provide the auditor with a written assertion to be included in the service auditor’s report. The written assertion should state the following: Management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date (or for a Type 2 – throughout the specified period); The controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives as of the specified date (or for a Type 2 – throughout the specified period); The controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives (Type 2 only).
With the new SSAE 16, the service auditor will now make an attestation on these management assertions. The service auditor will assess whether management has used suitable criteria: In preparing its description of the service organization’s system; In evaluating whether controls were suitably designed to achieve the control objectives stated in the description; and In the case of a Type 2 report, in evaluating whether controls operated effectively throughout the specified period to achieve the control objectives stated in the description of the service organization’s system.
Key Differences from the SAS 70 Audit Standard
While at first look the new SSAE 16 standard and the old SAS 70 standard may appear to be very similar,
there are significant differences. The first of which is the auditor’s opinion letter. The SAS 70 auditor’s opinion was a direct reporting opinion where the auditor directly reported on the fairness of the description of controls, design of the control activities to meet the objectives, and whether the controls were placed in operation and their operating effectiveness. In the SSAE 16 standard, auditors are attesting to management’s assertion as noted above.
The service auditor now has responsibility for determining whether management has used suitable criteria in preparing its description of the service organization’s system. The service auditor will need to
understand the criteria and process management has performed to develop their assertion.
In the case of a Type 2 report, the SAS 70 audit standard did not notate the portion of testing that was performed by internal audit and that which was performed by the service auditor. The SSAE 16 standard has reversed that stance and now the service auditor will disclose in a Type 2 report those tests that were performed by the client’s internal audit department and the description of the procedures the service
auditor performed with respect to that work.
How do I prepare for SSAE 16?
Service organizations need to perform an analysis of their current SAS 70 audit description of controls to identify gaps in the description needed to satisfy SSAE 16 requirements. SSAE 16 requires the service
organization to develop a description of the service organization’s system. The service auditor will examine the description of the service organization’s system to ensure it is fairly presented and ask
questions regarding the description such as:
Does management’s description address all major aspects of the service provided and includes in
the scope of the engagement?
Is the description prepared at a level of detail that could reasonably be expected to provide a
broad range of user auditors with sufficient information to obtain an understanding of the internal
control structure?
After the description of systems has been drafted, the service organization needs to identify the control
objectives and the risks that threaten the achievement of the control objectives stated in the description.
The service organization also needs to design suitable controls that are operating effectively and provide reasonable assurance that the control objectives will be achieved.
Service organizations should begin to develop their assertions which will be included in the service auditor’s report. In addition, management should consider if any sub-service organizations need to develop assertions. Vendors who may not be sub-service organizations but have an impact on the service organization’s internal control structure should also be examined to determine if current contractual requirements to provide the service organization with a SAS 70 report should be updated for SSAE 16.
SSAE 16 is not for Cloud Computing
The AICPA is fully aware of the increased use of cloud computing companies and the need for assurance in the cloud computing arena. Neither SSAE 16 nor SAS 70 should be used to assess controls of cloud computing companies. The AICPA has created a special task force of the Assurance Services Executive Committee to write a new guide which will address such engagements which are performed under AT section 101. AT Section 101 allows for CPAs to perform attestation engagements under this standard when another applicable standard does not apply.
Service organizations should have discussions with their auditors or obtain consultation regarding the new SSAE 16 standard to ensure their compliance efforts are brought into the 21st century.
Who Should Participate
Payroll Providers, Collection Agencies, Application Service Providers, Banking and Financial Services, Communications, Data Center Providers, Energy and Utilities, Government, Insurance, Managed Services and Technology, Non- Profit companies, Professional Services and SaaS.
What You Will Learn
What you should do to prepare for the SSAE 16 audit? How will the SSAE 16 audit be different than last years SAS 70 review? What should you tell you clients about the change?
Recommended Resources
www.aligncpa.com
Communities
Compensation
Human Resources Management
HR Outsourcing
Core HR: Payroll for HR and HRIS
Software Hosting (only)
Small Business
Public Sector and Non-Profit
Outsourcing
HR Audit
Payroll
Presented by
spacer
speaker spacer
Sean Widdoes
A-lign CPAs

View Profile
spacer
Event Sponsors
A-lign CPAs
A-lign CPAs provides risk advisory and compliance services to companies throughout the world. Founded on the single principle that an unparalleled client service experience is the greatest differentiator amongst professional service firms, our greatest strength is that we focus specifically in delivering services to companies and individuals with regulatory or customer compliance needs. To deliver the services requested with efficiency and effectiveness, we have assembled a team of audit professionals comprised of former Big 4 executives who possess the experience needed to execute the engagements. Our services include the following: • SSAE 16 Examination • SOC 1, SOC 2, and SOC 3 • SAS 70 Audit • WebTrust/SysTrust • PCI Readiness • ISO 27002 Benchmark • Internal Audit • Sarbanes Oxley Compliance • HIPAA Compliance Review Specialties Compliance and Regulatory Audits, PCI DSS, SSAE 16, ISO
File List
Feedback
Name Comment Rating
Image of Marianna Tardie, PHR Marianna Tardie, PHR
KnowledgePoint360
4 / 5
Very Good Presentation
Image of Ana T. Ana T.
Houston
3 / 5
Good Presentation
Image of Amy Basel Amy Basel
CTA (Chicago Transit Authority)
3 / 5
Good Presentation
Image of Ericka Browne, SPHR-CA, GPHR Ericka Browne, SPHR-CA, GPHR
Blue Water Thermal Solutions
4 / 5
Very Good Presentation
Image of Jodi Gulla, CPP, PHR Jodi Gulla, CPP, PHR
Universal Hospital Services
5 / 5
Excellent Presentation
4 / 5
Very Good Presentation
Image of James Jones James Jones
Delta Health Center, Inc
4 / 5
Very Good Presentation
Image of Mike Hammer Mike Hammer
SP3M Group LLC
3 / 5
Good Presentation
Image of Jarrod Hough Jarrod Hough
Volkswagen of America Inc
3 / 5
Good Presentation
Image of Robyn Miller Robyn Miller
NMPA Group
4 / 5
Very Good Presentation
Image of Brian Diehl Brian Diehl
Parker Hannifin
3 / 5
Good Presentation
3 / 5
Good Presentation
Image of Markus Richter Markus Richter
A-lign CPAs
5 / 5
Excellent Presentation
Image of Karla Retzlaff Karla Retzlaff
Cooperative Resources International
3 / 5
Good Presentation
Image of Dalene Crowder Dalene Crowder
Verizon Telecom
4 / 5
Very Good Presentation
Image of Stephanie M. Sylvester Stephanie M. Sylvester
Consultant (HR) Maryland
4 / 5
Very Good Presentation
Image of Toni Reynolds Toni Reynolds
AllianceBernstein L.P.
5 / 5
Excellent Presentation
4 / 5
Very Good Presentation
Image of Okaibea (Bebe) Forson Okaibea (Bebe) Forson
CommonWealth One FCU
4 / 5
Very Good Presentation
"Sean did a fantastic job breaking through the ""compliance jargon"" and presented the information in layman terms." 5 / 5
Excellent Presentation

Do you have any comments that you would like to share about the value of this session?

Please help others considering viewing the archive understand the value of the session. How would you rate this presentation?
Excellent        Very Good        Good        Fair        Bad       

Are you becoming an industry expert? Each One Hour Webcast on HR.com is reviewed and can qualify for an Institute for Human Resources credit. The Institute for Human Resources Certification Program provides HR Professionals with an opportunity to specialize in one vertical or domain, making them an Industry Expert. Each of HR.com’s webcasts are reviewed and evaluated against the verticals/domains criteria, and one credit hour can be applied to the appropriate vertical or domain.
For more information regarding the IHR Certification Program, please click here or visit: http://www.hr.com/en/ihr_certifications/
Did you know that each one-hour webcast is submitted to qualify for HR Certification Institute recertification credits? The archive of the webcast also qualifies recertification credits, for one (in some cases two) year(s) after the original broadcast. You can get your PHR, SPHR, GPHR and credits all without ever leaving your desk. We know how busy today's successful HR professionals are, which is why we're committed to delivering the best education to you in an easy and entertaining format. For more information about certification or recertification, please visit the HR Certification Institute homepage at www.hrci.org
"The use of this seal is not an endorsement by HR Certification Institute of the quality of the program. It means that this program has met HR Certification Institute’s criteria to be pre-approved for recertification credit."
WorldatWork Society of Certified Professionals. Recertification credit for this event applies to the Certified Compensation Professional (CCP®), Certified Benefits Professional® (CBP), Global Remuneration Professional (GRP®), Work-Life Certified Professional (WLCP®), Certified Executive Compensation Professional (CECP™) and Certified Sales Compensation Professional (CSCP™) designations granted by WorldatWork Society of Certified Professionals.

Recertification credit for this event can be taken by entering it into your online WorldatWork Society recertification application and entering the program date, title and length. Please note that the CECP and CSCP designations require a minimum number of credits from executive and sales compensation-related activities. For more information on recertification, visit the WorldatWork Society recertification webpage at www.worldatworksociety.org/recertification.


Sitemap   |   Advertise With Us