AT Section 101 is a professional standard that all service organizations need to be keenly aware, due in large part to the creation of the AICPA SOC reporting framework, for which both AT Section 101 and SSAE 16 play critical roles in reporting on controls.

In issuing SSAE 16, the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) has been very clear in stating that the intent of actual SSAE 16 itself is for reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting.

Simply stated, if a service provider is performing a task or function or providing a service to another entity, for which it impacts the financial reporting of this entity in some way, then SSAE 16 is applicable. Thus, the scope of the SSAE 16 is still consistent with that of Statement on Auditing Standards No. 70 (SAS 70), for which it is replacing.

Thus, when reporting on controls other than those likely to be relevant to user entities’ internal control regarding financial reporting (i.e., controls outside that of financial reporting), practitioners should perform an Attest Engagement in accordance with AT Section 101.

The reasoning for the AICPA to make very clear of the use of AT Section 101 is because the original SAS 70 auditing standard strayed heavily from its original use as an auditor-to-auditor standard, and more of that as an internal control audit conducted on almost any conceivable organization. Many service organizations quickly began to obtain SAS 70 Type I and Type II compliance for marketing and business development reasons, often largely ignoring the true technical merit and intent of the auditing standard itself. As such, the AICPA highly recommends that practitioners reporting on controls outside of that of financial reporting should conduct an Attest Engagement, in accordance with AT Section 101.

The AICPA is also very aware of the changes being brought about from technology and will be publishing a guide in the near future (2011) titled: Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

Expect this guide to be utilized when practitioners issue Attest Engagements under AT Section 101. This guide, along with the issuance of a Service Auditor’s Report under AT Section 101 could become a very-well known audit report in the marketplace as companies possibly move away from the SSAE 16 scope (which is limited to financial reporting) and embrace reporting on controls outside the scope of financial reporting.

It’s simply too early to tell as to which of the service organization reporting options will take firm root, resulting in widespread acceptance. With that said, expect SSAE 16, Attest Engagements in accordance with AT Section 101, ISAE 3402, and other country | region specific standards to be the dominant players.