SSAE 16 | Understanding what Compliance with SSAE 16 Really Means

No. SSAE 16 compliance does not result in becoming SSAE 16 “certified”.  Using the term “certified” is technically incorrect and unfortunately became a common phrase in the era of SAS 70 auditing.  There is no certification awarded or granted upon completing an SSAE 16 attestation engagement.  Rather, the more technically correct wording one may use it that a service auditor has performed an attestation engagement to report on controls at a service organization, which resulted in the issuance of an SSAE 16 Type 1 or SSAE 16 Type 2 report.

Please keep in mind that similar to Statement on Auditing Standards No. 70 (SAS 70), the SSAE 16 is fundamentally an auditor-to-auditor report, with the scope of the engagement being that of controls related to financial reporting.  Service organizations who wish to pursue third-party assurance reporting outside the scope of financial reporting are advised to contact a well-qualified CPA firm for conducting an Attest Engagement in accordance with AT Section 101.

Hopefully, the term SSAE 16 “certified” or SSAE 16 “Certification” will not grow into widespread use and popularity as it did with the SAS 70 auditing standard.

To learn more about SSAE 16 and the new reporting requirements, service organizations should consider embarking on an SSAE 16 Readiness Assessment; a proactive and useful assessment tool for helping better understand the entire SSAE 16 reporting process.