Companies often find that the outsourcing of selected significant business processes to a third-party or ‘service organization’ is a cost effective way to do business. Common types of outsourcing arrangements include significant transaction processing, valuations of certain assets and liabilities and IT infrastructure. Typically, such outsourcing includes outsourcing of activities that would be considered part of a company’s system of financial accounting controls and procedures
While a company may engage one or more service organizations, the company itself remains ultimately accountable for the reliability of the transactions and information generated by each service organization. To the extent that information processed by a service organization impacts the company’s financial statements, the relevant activities of the service organization become part of the financial accounting controls and procedures of the company and will be subject to evaluation and testing by the company’s external auditors.
SSAE16 will replace the well-known SAS 70 standard for reports on internal controls over financial reporting at service organizations for periods ending on or after June 15, 2011. An engagement under the SSAE 16 standard is performed by an independent CPA firm engaged by a service organization to provide a service auditor’s report on the service organization controls (SOC). The product of the engagement is a report that contains a description of the service organization’s system including relevant controls, management’s assertion, results of testing of internal controls and an auditor’s opinion on the description, management’s assertion the results of testing.
Service organizations may wish to obtain a SOC report under SSAE 16 for a variety of reasons-
- to assist customers in their evaluation of their internal controls over financial reporting including as required by the Sarbanes-Oxley Act of 2002,
- to avoid each customer sending their own auditors to the service organization to evaluate and test controls, and
- to provide the service organization with information enabling it to evaluate and monitor its processes and controls relevant to services provided to its customers.
Pursuing a report under SSAE 16 is a valuable undertaking for any service organization. SSAE 16 requires managers of service organizations play an active part in testing their internal control system and assessing possible risks to the business and their clients. These activities will add value to any operation. Evaluating the design of controls might help management discover a need for change or new risks that might not be discovered otherwise. More importantly, effective monitoring will enhance compliance, ensure that control owners are accountable, and ensure the organization’s control objectives are met. Additionally, engaging an independent CPA firm for either type of SSAE 16 engagement will provide an external viewpoint from which to continue to develop a service organization’s business and stay ahead of emerging risks and issues in the industry.
Johnson Lambert & Co. LLP’s experience in the insurance industry and alternative risk; associations and other non-profits; and employee benefit plansindustry niches, makes us uniquely qualified to perform service organization control audits for a variety of types of service organizations providing services to those niches including-
- claims administrators
- benefits administrators
- underwriting administrators
- managing general agents (“MGA”)
- captive insurance managers
Unlike its predecessor, SSAE 16 requires management develop criteria and opine on the design and operating effectiveness of its own controls and include an assessment in the final report. Johnson Lambert & Co. LLP’s experience makes us an ideal partner in this transition from SAS 70 to SSAE 16 or for an initial SSAE 16 report. Johnson Lambert & Co. LLP also provides internal audit and consulting services designed to prepare service organizations for an SSAE 16 engagement including any or all of the following services:
- performing a readiness assessment; evaluating existing controls and providing recommendations for improvements;
- assisting management in its determination of ‘suitable criteria’ for its internal control assessment;
- testing internal controls on behalf of management for management’s reliance; and/or
- working hand-in-hand with service auditors to ensure that results of our assessments are available, reducing the work of the independent service auditor and ensuring a smooth SSAE 16 engagement.
Captive.com posted an article by Johnson Lambert & Co. LLP professionals showing how a SAS 70 audit can significantly streamline your company’s efficiency. The article illustrates how a SAS 70 works by presenting us with practical examples we have all experienced that bog us down every day and impact our efficiency. For a reprint of the “SAS 70: A Strategic Advantage in Challenging Times” article now featured on captive.com click here.