Exposure Draft for Reporting on an Examination of Controls at a Service Organization

By: Jeff Carlini

This blog concerns the proposed SSAE Reporting on Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: Clarification and Recodification (dated September 18, 2014).

One part of this standard is the clarification and recodification which goes along with the format of the other recently clarified standards. One key feature is the use of bullet points and headings to make the standards more readable along with putting the application and explanatory material right next to the standard.

There were several revisions in the standards. See below for some of the more pertinent points:

  • It introduces and defines the term complementary subservice organization controls in paragraph 8.8b.
  • It revises the definition of complementary user entity controls in paragraph 8.8c to include only the controls necessary to achieve control objectives stated in management’s description of the service organization’s system. In the current definition, all controls, even those unnecessary to achieve the control objectives are defined as complementary user entity controls.
  • It clarifies how a service auditor performs a risk assessment in a service auditor’s engagement.
  • It is a requirement as part of the risk assessment process to read the reports of the internal audit function and regulatory examinations related to the services provided to user entities.
  • It adds illustrative paragraphs to the Type 1 and Type 2 reports in appendix A, “Illustrative Service Auditor’s Reports,” that would be added to the report in the following situations:
    • The service organization uses a subservice organization, presents its description of the service organization’s system using the carve-out method, and complementary. subservice organization controls are required to meet the control objectives.
    • Complementary user entity controls are required to meet the control objectives.
    • Information not covered by the service auditor’s report is included in the description of the service organization’s system.
  • It requires the service auditor to determine that management’s assertion includes all of the criteria management used to evaluate the fairness of the description presentation, the suitability design of the controls, and the operating effectiveness of the controls Type 2 engagement. The objective of this requirement is to foster uniformity and completeness of the criteria identified in management’s assertion.

Who is Affected:
Auditors who examine Service Organization Reports

Effective Date:
The effective date of this proposed SSAE has not been determined but it is anticipated the effective date would be no earlier than for reports periods ending on or after December 15, 2016.

The text of the full exposure draft can be found on the AICPA website.

Jeff-carlini-headshotJeff Carlini has lived and practiced public accounting in Charlotte, North Carolina for 12 years. He graduated from Lehigh University earning a B.S. and M.S. in accounting. Jeff started his career at Deloitte in Charlotte where he became a senior auditor. Following Deloitte Jeff was a lecturer of accounting at UNCC before becoming a manager at a regional accounting firm in Charlotte. Jeff is currently partner at Carlini CPA, PLLC. Jeff belongs to and is involved in the AICPA and the NCACPA, and is currently serves on the A&A committee of the NCACPA.