1. SSAE 16: the SAS 70 2.0
— what lies ahead?
By John McLain CISA, CDFM and Omar Kuyateh CGFM, CDFM, CISA, CISM, CFE, PMP
Changes in the regulatory landscape have generated a need
for additional information regarding internal control over
financial reporting not currently covered by SAS 70, the
AICPA’s Statement on Auditing Standards No.70, Service
Organizations, issued in 1992. The new guidance is
Statement on Standards for Attestation Engagements No.
16, Reporting on Controls at a Service Organization
(SSAE 16). Both documents define the professional
standards used by a service auditor to assess and report on
the internal controls of a service organization. Service
organizations can be any entity providing services to
clients.
According to AICPA guidance in SAS 70 and SSAE 16, a
service organization’s services typically effect the
organization’s clients’ control environment. Examples of
government sector service organizations include Medicare
contractor organizations that process Medicare payments
on behalf of the Centers for Medicare and Medicaid
Services (CMS), such as Palmetto Government Benefit
Administrators, Noridian Administrative Services LLC,
Wisconsin Physicians Services Insurance Corporation and
Highmark Medicare Services, Inc.
SSAE 16 is effective for reports for periods ending on or
after June 15, 2011, but organizations can adopt it earlier if
they wish. However, SSAE 16 does not significantly
change the process of reporting on controls at a service
organization. SSAE 16 does have additional changes that
require more input from management.
Changes introduced by SSAE 16
The main changes introduced by SSAE 16 are as follows:
 Written management assertion
 System description
 Risks to achieving control objectives
Written management assertion
A new management assertion section is the most
significant change to the report. Using the Medicare
contractor example above, a contractor’s management is
required to provide the service auditor with a written
assertion. This assertion is that the system is fairly
represented, suitably designed and implemented
throughout the reporting period; that the related controls
were suitably designed to achieve the stated control
objectives throughout the period; and that the controls
operated effectively throughout the period.
System description
The current Section II of the SAS 70 report, where
management must prepare a written description of the
system, expands under SSAE 16. Management must now
describe the services covered; classes of transactions and
details on related procedures and accounting records; the
capturing and addressing of significant events other than
transactions; report preparations processes; control
objectives and related controls; complementary user
controls and other relevant aspects of the organization’s
control environment, risk assessment process, information
and communication systems, control activities and
monitoring controls.
Risks to the achievement of the control objectives
Under SSAE 16, service contractor management should
now identify the risks that threaten the achievement of the
stated control objectives and evaluate whether the
identified controls sufficiently address the risks to
achieving the control objectives.

2. Transitioning to SSAE 16 success factors
Transitioning from SAS 70 to SSAE 16 will present some
challenges. Service organizations need to do the following:
1. Start talking with their service auditor to gain a
better understanding of SSAE 16 and the auditor’s
perspective.
2. Work with their service auditor to determine if
adopting SSAE early (before April 2011) is a
better alternative than sticking with SAS 70.
3. Review internal monitoring or testing processes to
determine if these are sufficient to support the
written management assertion required by SSAE.
4. Select and document the criteria that management
will use to support its written management
assertion.
5. Identify the risks that threaten achieving the
control objectives.
6. If they rely on subservice organizations, entities
should determine if the carve-out or inclusive
method would be used. If the inclusive method is
selected, start talking with the subservice
organizations about the new requirements (e.g.,
written assertion from the subservice provider in
the report).
7. Review the existing SAS 70 description of controls
and make needed enhancements (including
missing components) to describe the system in
full.
8. Develop a communication plan regarding the new
standards for their customers, their customer-
facing employees, and their sales and contract
teams.
9. Review existing customer contracts to determine
if these will need to be amended to address the
transition to the new standards. Revise contract
templates to account for the transition to the new
standard.
It is advisable for service organizations to discuss the
implications of the new standards and early adoption of
SSAE 16 as soon as possible. Service organizations that
now get a SAS 70 report should consider waiting until the
effective date unless there are economic benefits if they
adopt early, or if waiting for the effective date will result in
higher expenses.
About the Authors
John McLain is currently an Audit Director at Grant
Thornton, LLP. He has more than 14 years of information
technology audit, controls, governance risk and
compliance (GRC), auditing, and consulting experience.
He has considerable knowledge and experience in dealing
with GRC and how it influences effective operations in the
work place and data center. Mr. McLain has an extensive
knowledge of large complex control environments,
systems analysis and application controls.
Omar Kuyateh is currently a Senior Manager at Grant
Thornton, LLP. He has more than 13 years experience
providing audit, accounting and advisory services, of which
nine has been dedicated to servicing Federal government
agencies. Omar’s work experience includes direct
knowledge planning and executing federal audit, and
advisory engagements, specifically, helping federal
government agencies with compliance with OMB Circular
A-123, Appendix A, Review of Internal Controls over
Financial Reporting.
About Grant Thornton LLP
Grant Thornton LLP, founded in Chicago in 1924, is one
of the largest accounting and management consulting firms
in the world. Grant Thornton’s Global Public Sector
practice, based in Alexandria, Virginia, is a global
management consulting business with the mission of
providing responsive and innovative financial,
performance management, human capital management and
systems solutions to governments and international
organizations. We have provided comprehensive, cutting-
edge solutions to the most challenging business issues
facing the public sector.
Contact us
John McLain, Director
T 703.837.4460
E John.McLain@gt.com
Omar Kuyateh, Senior Manager
T 703.637.2908
E Omar.Kuyateh@gt.com
or visit www.GrantThornton.com/publicsector