In January 2020, the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) released the updated Statement on Standards for Audit Engagements (SSAE) 19 to further streamline the reporting of control design and effectiveness. For organizations seeking agreed upon procedure (AUP) reports, the date of compliance for these new SSAE 19 standards was June 30, 2021.
For many organizations, producing professional evidence of effective controls is critical to vendor relationships, customer and client trust, internal improvements, regulatory adherence, and overall success. To streamline the reporting structure during audit engagements and standardize these control reports, third-party attestation reports were created and have since grown and adapted to fit the changing needs of organizations in many industries.
The new SSAE 19 guidance fills a very important gap that was created during the evolution of the SAS 70 to the SSAE 16 and the SSAE 18. These versions were able to adequately define control reports for financial controls or technology-related controls, but left those looking for attestation in other areas without a clear avenue to provide that information to end-users. For example, the old AUP reports were still available under the SSAE 18, but there were large hurdles encountered when trying to execute these reports. The SSAE 19 guidance comes with many new advantages that will benefit organizations seeking attestation reports.
What Makes SSAE 19 Different?
Lack of Approval Requirements
The SSAE 19 provides greater flexibility to organizations when issuing the report, with one of the most important changes being that there’s no longer a requirement for end-users to approve the appropriateness of the audit procedures.
Theoretically, having clients approve the procedures within your report is a great idea. Who wouldn’t want to ensure the report precisely fits the client’s needs? However, if an organization has a large established client base, this process would entail seeking the approval of hundreds or thousands of users, which could be extremely difficult. SSAE 19 changes the game by eliminating the need for end-user endorsement of procedures while still allowing the flexibility to incorporate end-users in the process of developing the procedures.
The second major element that increases flexibility is the ability to adapt procedures during the course of the review. In the past, procedures had to be outlined in the engagement letter and executed. The new guidance allows for the party performing the review to change or add new procedures as the review is taking place. This allows adjustments to be made to ensure that the report adequately addresses all elements of client operations, and will ultimately create a stronger report.
Another point to consider in the revised terms is that the report may be issued as a general-use report instead of a restricted-use report. This means the report can be provided outside of the restriction of current customers and can also be shared with prospective clients, potential investors, or new third parties.
SSAE 19 Audit Engagement Process: What to Expect
Organizations interested in pursuing an AUP under SSAE 19 should identify which controls they’re expecting to incorporate in the attestation. They should first determine if the control structure is sufficiently mature before engaging an accounting firm to issue this report. An organization may want to complete a readiness assessment prior to this engagement, where a consultant will evaluate the control environment before conducting the attestation.
Through the assessment, your organization will receive feedback on the maturity of your controls, as well as potential gaps that will need to be analyzed and closed prior to undergoing the formal audit process. A thorough readiness assessment would include interviews to evaluate the control design, as well as a review of documentation to ensure they’re able to support existence of the controls.
After the organization’s internal evaluation or a third-party assessment, it will be time to select an accounting firm to perform the attestation engagement. The firm will work with the organization to develop a preliminary list of test procedures to fit the objective of the report. Due to the changes in the requirements, these procedures can be modified during the course of the engagement if necessary. All changes must be acknowledged by the organization as appropriate. You may want to elicit customer feedback on the scope of the test procedures to ensure the report will meet their needs as well.
Once the testing is complete, a final report will be issued with the results of each test procedure. This report can be distributed to your customer base to provide assurance of your control structure’s effectiveness in the delineated areas.
This improved reporting structure will allow your company to provide clients with a report over a variety of topics that may not fit in the traditional System and Organization Controls (SOC) or financial control frameworks. These may include adherence to service level agreements, operational controls, or compliance attestations. The SSAE 19 allows an organization to be nimble in their approach to assurance regardless of the controls examined.