By Natalie Como, CPA, CGMA
On June 15, 2011 – a date that will live in infamy in the world of internal controls – the Statement on Auditing Standards (SAS) 70 attestation standard was replaced by the Statement on Standards for Attestation Engagements (SSAE) 16 as the standard for reporting on service organizations. One of the largest changes that came with the adoption of this new standard was the shift in focus to the controls related to financial reporting, and eliminating controls related to data security and privacy. Controls related to compliance with laws and regulations were also removed from the scope of SSAE 16 engagements, and are now included under separate attest standards and reporting requirements.
Five years later, it has become more commonplace in RFPs that investors and consultants are asking whether a prospective investment manager has undergone an SSAE 16 examination, and these same reports have become common tools used in performing due diligence on prospective vendors. Whether you are requesting or evaluating either a Type 1 or Type 2 report, do you understand the type of assurance you can receive from reading one type of report over the other?
First, the basics: Both Type 1 and Type 2 reports provide attestation by the service auditor about the fairness of the presentation of the description of the service organization’s system, as well as the suitability of the design of the controls to achieve the related control objectives stated in the description. Where the reports differ, however, is in the scope of their reporting period and depth of testing. When conducting a Type 1 examination, the service auditor tests (compiles evidence) that the controls specified in the description of the service organization’s system are in operation as of the specific reporting date. During a Type 2 examination, however, a service auditor tests (compiles evidence), via sampling, that the controls were operating effectively during the entire reporting period (not less than six months). Since Type 2 reports cover a period of time, they will also reflect any relevant changes that occurred during the period as well.
When a service organization decides to undergo an initial SSAE 16 examination, some will choose to first undergo a Type 1. This is a great starting point for entities new to the world of reporting on controls as many firms may not have the documentation available for the procedures a service auditor performs during a Type 2. Most service organizations will eventually move to the more comprehensive Type 2 examination once they have completed a Type 1 examination.
In the case of a Type 2 examination, it is critical for the reader of the report to evaluate the appropriateness of the period covered by the tests of controls. The SSAE 16 report is an auditor-to-auditor communication, with the purpose of providing user auditors with information about controls at a service organization that are relevant to the user entities’ internal controls over financial reporting. The auditors that complete the annual fund audits for investment managers request and review the manager’s SSAE 16 report as part of their risk assessment process and planning for their overall audit strategy. It is important to keep in mind that the shorter the period covered by a specific test and the longer the time elapsed since the performance of the test, the less assurance the report may provide. For example, a report on a six-month testing period that overlaps with only one or two months of the user entity’s financial reporting period offers less support for an auditor to rely on than a report in which the testing covers six or twelve months of the user entity’s financial reporting period.
Investment managers are increasingly seeing RFP questions related to SSAE 16 exams as these reports are commonly used to perform due diligence on an organization. Similarly, investment advisors are requesting these reports from their key vendors as part of their cyber security due diligence efforts. When relying on these reports, it is imperative to understand the level of assurance and whether the scope of report is applicable to the intended use. For example, an investment manager currently uses Company ABC as their third party vendor for trade settlement. The manager is provided Company ABC’s most recent SSAE 16 report that covers their controls related to their fund administration services, which does not cover the relevant controls related to the trade settlement function they engage with Company ABC for, therefore, the report is not appropriate to give a level of assurance over their controls related to trade settlement. Another important element that readers of the report should consider is the complementary user entity control considerations. The AICPA defines these as “controls that management of the service organization assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve the control objectives stated in management’s description of the service organization’s system, are identified as such in that description.” The issuer of the report assumes that certain complementary controls are implemented by the user entity, and that these controls are operating effectively. In order for the user of the report to rely on the controls included within, they must evaluate their own internal controls to determine that appropriate risk areas are covered within the report, or within their own internal control structure.
Next time you request an SSAE 16 report from vendors or provide an SSAE 16 report to prospective or current clients, keep these key points in mind to ensure the assurance provided within the report is applicable and relevant based on your due diligence needs and those of your clients.