Thomas Hall, Managing Director, Contract Negotiations Advisory

Third-party assurance reports provide customers of outsourced services with information about the internal controls maintained by their provider’s delivery organization. Historically, the control standards set forth by the American Institute of Certified Public Accountants (AICPA) in Statement on Standards No. 70 (SAS 70) have been most commonly applied around the globe, although various other local control standards have provided the basis upon which service providers have designed their control programs.

In January 2010, the AICPA finalized its Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE 16). SSAE 16, designed to replace SAS 70 as the standard for reporting of controls by outsourcing service providers, becomes effective in June 2010. The AICPA finalized SSAE 16 on the heels of the completion of its international counterpart, the International Standard on Assurance Engagements No. 3402, Assurance Reports on Controls at a Service Organisation (ISAE 3402), which was released by the International Auditing and Assurance Standards Board (IAASB) in December 2009.

SSAE 16 and ISAE 3402 include the following fundamental changes from SAS 70:

• SAS 70 requires the service provider’s management to prepare a description of the controls in place in the organization. The new standards expand the disclosure requirement to include a description of its System.
• Service provider management will prepare an assertion to accompany the description of its System and Controls, and the service provider’s auditor will attest to the management’s assertion.
• The service provider is responsible for identifying risks that could threaten the effectiveness of the controls it has implemented.

Whether you are a customer of outsourced IT infrastructure or finance and accounting business processes, your current contracts should include provisions that speak to your service provider’s control processes and your rights to visibility and assurance. Many existing contracts for outsourced services specifically require SAS 70 Type II reports. Prior to June, customers should review their contracts to check for “or equivalent” language, at a minimum, and engage their service providers in conversations to understand how SSAE 16 and ISAE 3402 will impact their approach to controls.

Customer governance personnel should engage the compliance department to discuss what the new standards mean to the customer organization, and what, if anything, should be addressed through revised expectations under current contract language or through modification of contractual obligations with their service providers.

The introduction of SAS 16 and ISAE 3402 to the marketplace for outsourced services opens the door for reconsideration of visibility and assurance. It invites collaborative dialogue between the parties regarding existing contracts, and provides an opportunity for service providers to further distinguish themselves as collaborative partners in competitive pursuits for new business.

Filed under: Contract Review & Negotiation, Finance & Accounting, How to..., Information Technology (IT), Outsourcing, Regulations Compliance by EquaTerra