The Path to SSAE 16

The Path to SSAE 16

For decades, Statements on Auditing Standards (SAS) have been used to provide guidance to external auditors on Generally Accepted Auditing Standards (GAAS). The certified public accountants’ authoritative bodies in individual countries typically issue them.

In the United States, the American Institute of Certified Public Accountants holds the copyright and disseminates these SAS standards. They are commonly abbreviated as “SAS” followed by their respective number and title.

A common standard, known as SAS 70, was issued in 1993. It provides guidance to auditors when they are assessing the internal controls of a service provider.

The SOX Impact on SAS
In 2002, the Sarbanes–Oxley Act (known commonly as SOX), a U.S. federal law which set new standards for all U.S. publicly registered companies, went into effect. SOX was primarily designed to restore investor confidence following highly publicized bankruptcies and internal control breakdowns.

One section of SOX focuses on the processes that flow into an organization’s financial reporting systems and requires that they evaluate and document all the processes that are used to generate their financial reports, including the processes that are used by their service providers.

If, for example, an organization uses a BPO to process payroll, then the organizations will have to conduct audits and produce the results of those audits from their service providers. Conducting independent results of all their service providers can be a daunting task, but they do have another option. If their service providers can produce an SAS Type II certification, then they may be able to bypass the audit process and use that certification to meet the SOX legislation requirements.

As a result, U.S. public companies started putting pressure on their service organizations to demonstrate SAS 70 compliance. In order to meet their clients’ requirements and to remain competitive, masses of service organizations started undergoing the audit process and many of them obtained SAS 70 compliance. For some organizations, SAS 70 compliance evolved from a nice-to-have to a mandatory requirement.

The Global Economy’s Impact on SaaS
More recently, other external factors have made an impact on the SAS 70 auditing standards. The instability of the global economy has forced organizations to “tighten their belts” and find innovative ways to reduce costs. Many organizations started leveraging new technologies such as Software as a Service (SaaS) or cloud-based services as a way to not only reduce costs, but also to build and expand their global operations.

This trend has led to an increase in the use of BPOs, which in turn created a demand for BPOs to comply with auditing standards. The problem was that the great majority of BPOs are global with global staff members, yet they were being asked to comply with SAS 70 which is the U.S. standard, or whatever country-specific standards were available; for example, the UK’s Audit and Assurance Faculty Standard (AAF), Hong Kong’s HKSA Statements-Auditing Practice, etc. None of these are consistent globally, and they tend to focus on financial companies not on BPOs.

The lack of one international standard resulted in inconsistencies and confusion in the marketplace. It was at that point that various entities started working together.

SSAE 16 Supersedes SAS 70
In June 2011, the International Federation of Accountants put forth a new globally-accepted standard known as ISAE 3402. Today, the certified public accountants’ authoritative bodies in individual countries are being encouraged to either directly adopt the ISAE 3402 standard or to amend their existing standard to closely align with it.

In order for the United States SAS 70 audit standard to align itself with the new ISAE 3402 global standard, the Auditing Standards Board of the American Institute of Certified Public Accountants published a new Attestation Standard, SSAE 16 (Statement on Standards for Attestation Engagement) to supersede SAS 70.

The new SSAE 16 standard is intended to replace an aging SAS 70 standard and keep pace with the growing push towards more globally accepted international accounting standards.

SafeGuard World International is the first global payroll provider to earn this status. If you would like more information about how the SSAE 16 can help your organization be compliant, please contact us.