Meet Rubino & McGeehin

Jenny E. Herrera I build a close relationship with my clients to better understand their needs. I strive to become their business partner and to communicate practical solutions to complex financial matters.

Jenny E. Herrera

Read this Profile\View All Profiles

Recent Twitter Updates

Join us April 25 for a complimentary program discussing bid protests from the protestor and government perspectives. http://t.co/ftwuSqGL
1 month ago Follow Us

Resources

Changes to SAS 70

Category: Articles

By Stephen Boyle

Many companies use third party service providers to manage their employee benefit plans. Many third party service providers have their control objectives and their control activities audited to ensure they are in accordance with Statement on Auditing Standards No. 70 (SAS 70), as developed by the American Institute of Certified Public Accountants (AICPA).  SAS 70 audits document a third party service providers control activities and processes and are completed by an independent audit firm. Based on the results of the SAS 70 audit, the independent audit firm of a user organization may rely on the SAS 70 report when performing a financial statement audit or an employee benefit plan audit.  However, SAS 70 is being replaced by two new standards - SSAE No. 16 (for service auditors) and a new SAS 70 (for user auditors) which will amend and replace the original standard.

SSAE No. 16, Reporting on Controls at a Service Organization, is effective for years ended after June 15, 2011 and will require a service auditor to obtain a written assertion from management of the third party service provider about matters that the CPA is reporting on, including identifying risks that threaten the achievement of the control objectives.  Consistent with the original SAS 70, service auditors may still issue either a Type I report or a Type II report.  A Type I report includes a description of the service organization's controls and an audit opinion on whether the controls are operating as designed. A Type II report contains everything included with a Type I report, and also contains other information provided by the service organization, as well as a description of the service auditors' tests of the operating effectiveness of controls and the results from such testing.

The new SAS is effective for periods ending on or after December 15, 2012. The new SAS, finalized in May 2010, assists the user auditor to fulfill its risk assessment standards requirements by (1) obtaining an understanding of the entity, including its internal control relevant to the audit, sufficient to identify and assess risks of material misstatement and (2) to design and perform further audit procedures responsive to those risks.

In the end, these changes should not have a significant impact on audits of employee benefit plans.

View more resources