SSAE No. 16, “Reporting On Controls At A Service Organization”

Employee Benefit Plan Services

SSAE No. 16, “Reporting On Controls At A Service Organization”

As we approach the beginning of the 5500 reporting season for the calendar year 2010 employee benefit plans, it is important to note that we may begin to see the issuance of SSAE No. 16 Reports, “Reporting on Controls That Service Organizations,” a new standard which replaces SAS No. 70 service auditor reports. These reports, which become effective for periods ending on or after June 15, 2011, also permit earlier application.

As with the SAS No. 70 service auditor reports, there are two types of SSAE No. 16 Service Organization Control Reports: a Type No. 1 Report and a Type No. 2 Report. A Type No. 1 Report provides a management’s description of a service organization’s system of specified internal controls, along with an opinion as to the suitability of the design of the controls. A Type No. 2 Report also provides this information, but in addition, reports on the operating effectiveness of the specified controls. In this regard, users of the reports will still be able to place more reliance on a Type No. 2 Report than a Type No. 1 Report, since the Type No. 2 Report also opines on operating effectiveness of the specified controls.

Both sets of standards are intended to provide useful information regarding transactions that are processed by service organizations on behalf of their customers (e.g. employee benefit plans). However, SSAE No. 16 reports differ in certain aspects from the SAS No. 70 reports. The following are the two significant changes related to the new reporting:

  • The new standard will now require management to present to the auditor a written assertion about the fairness of presentation of the description of the system, suitability of the design of the system, and for a Type No. 2 engagement, the operating effectiveness of the controls. These written assertions will be included in management’s description of the service organization’s system of specified internal controls. Such an assessment was never required in a SAS No. 70 engagement.
  • For a Type No. 2 engagement, the description of the service organization’s system and the service auditor’s opinion on that description will both cover the same specific period of time. This differs from a SAS No. 70 report, which was only as of a specified date, rather than for a specific period.

Monitoring a Service Organization Control Report is an important part of a fiduciary’s responsibility to an employee benefit plan since the service organization perform certain processes, which are relevant to the plan’s operations. For more information about this subject, the AICPA has created a Service Organization Control Report information center on their website which can be accessed at the following link: https://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/SOC/Pages/SORHome.aspx

NEED MORE INFORMATION?

If you need more information regarding this or any other topic affecting your retirement plan, fill in the form below to arrange a free consultation today.

The information contained herein is not necessarily all inclusive, does not constitute legal or any other advice, and should not be relied upon without first consulting with appropriate qualified professionals for your plan’s individual facts and circumstances.

Learn More About our Employee Benefits Services>>

How Can We Help?

Previous Post

Next Post

Read More
Image of icons representing employment benefits.

Employee Benefit Plan Services

When Consistent Quality and Convenience Matters The role of a plan administrator comes with great responsibility as the complexity of employee benefit plans requires businesses to follow extensive accounting and […]

Learn More