Over the past few years, the introduction of the Sarbanes-Oxley Act together with a greater focus on risk management has generated an increase in demand from service providers in obtaining third party assurance over the design and operating effectiveness of their internal controls. It is, therefore, also not a surprise that as regulation of the financial services industry increases, the existing regulatory standards and frameworks are changing as well.
Historically, the most popular form of controls attestation report has been referred to as a Statement on Auditing Standards No. 70 report (a "SAS 70"). A SAS 70 report is prepared in one of two forms: a Type I or a Type II report. A Type I report provides an opinion on the description and design of an entity's controls as at a point in time. A Type II report, in addition to covering the description and design of controls, also includes an opinion on the operating effectiveness of the entity's controls over a period of time.
As a result of the International Auditing and Assurance Standards Board ("IAASB") developing a new standard, International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization ("ISAE 3402"), standard setters in the United States have replaced the existing SAS 70 standard with Statement for Attestation Engagements No. 16, Reporting on Controls at Service Organization ("SSAE 16"). Generally speaking, the convergence of the US and international standards is to ensure that control attestation engagements and reports are conducted and prepared using a consistent global framework. These standards have become effective for fiscal periods ending on or after June 15, 2011 (with early adoption permitted). Reports issued by auditors in the US will be performed under SSAE 16, while all others outside of the US will be performed using ISAE 3402.
The most significant change will require management to include in the report a statement acknowledging both their responsibility over the entity's internal controls and confirming to the best of their knowledge as to whether the controls within their organization have been described and designed appropriately and are operating effectively. This is similar to the existing disclosure requirements of CEO's and CFO's of public companies subject to Sarbanes-Oxley regulations. The service auditor will require that management have a "reasonable basis" for providing this assertion. This does not mean that the organization needs to formally document its controls or implement a rigorous "self testing" program. However, it does highlight the importance of management ensuring that the service organization has strong monitoring controls in place. In fact, the new ISAE 3402 standard explicitly states that merely having a report on the operating effectiveness of controls "is not a substitute for the organization's own processes to provide a reasonable basis for its assertion".
It is also becoming increasingly common for service organizations to outsource key components of their control environment to third party service providers or "sub-service organizations" (i.e. information technology controls). Therefore, if the service provider plans on including the outsourced function into their ISAE 3402 or SSAE 16 report, the new standard also requires a management assertion from that inclusive "sub-service organization" to be included in the report. As you can imagine, it is critical to ensure that any relevant "sub-service organizations" are also aware of this fact as soon as possible. This may even result in additional work from the service auditor to obtain comfort over the requisite control environment of the "sub-service organization."
Further, for a Type II report, all three assertions (i.e. description, design and operating effectiveness of controls) will now be required for a period of time and described accordingly in the audit opinion. Under the previous standard, only the assertion for the "operating effectiveness of controls" was assessed over a period of time, while the "fairness of description of controls" and "suitability of design of those controls" was assessed as at a point in time.
The Securities and Exchange Commission ("SEC") in the United States has recently enacted amendments to the Custody Rule under the Investment Advisors Act, whereby Registered Investment Advisor ("RIA") acting as a "qualified custodian" for RIA client funds or securities must obtain an opinion from an independent public accountant as to the controls relating to custody of those client assets. This requirement can be satisfied by the issuance of a Type II SSAE 16 report.
In the post-Madoff world, it has become extremely difficult for "non-ISAE 3402" or "non-SSAE 16" accredited service providers to compete with those that are. Investors are becoming much more sophisticated and thorough in their due diligence procedures such that there is now a general expectation that all reputable financial services providers have a controls attestation report.
Generally speaking, it is not anticipated that there will be a significant amount of additional work performed by auditors under the new standard; however this is very much dependent on the specifics of the service organization's control environment. Accordingly, it is important to engage with your service auditor as soon as possible to determine the effects, if any, on your controls attestation engagement.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.