SSAE 16 thus brings about two important components that service organizations should readily understand for purposes of complying with Statement on Standards for Attestation Engagements (SSAE ) No. 16:

• Provide a written description of its system
• Provide a written assertion by Management

The description of its system should provide intended users of a SSAE 16 Type 1 or Type 2 with sufficient information to understand the services being provided to user entities. Therefore, the information should be comprehensive, accurate, well-presented, and covering all processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.

With that said, service organizations have historically presented a description of "controls" for Statement on Auditing Standards (SAS) No. 70, commonly known as SAS 70. So what's the difference between the SSAE 16 description of its "system" versus the SAS 70 description of "controls"? Many practitioners well-versed in SAS 70 and who are now learning more about the SSAE 16 framework have noticed that the actual AICPA publication on SSAE 16 provides a comprehensive listing of acceptable information for which a description of its "system" is asking for. This may very likely result in many service organizations having to re-visit, re-work, or substantially re-write many aspects of their prior, historical SAS 70 description of "controls". In summary, some service organizations may find only marginal changes are need, while others may feel compelled to significantly change the prior SAS 70 description of "controls" to meet the intent and rigor of the SSAE 16 description of its "system".

Additionally, service organizations must now provide a written assertion by management for SSAE 16. This written assertion was not required by the AICPA SAS 70 auditing standard, but now becomes a fundamental requirement of the new attestation standard.

The written assertion is simply just that, a number of "assertions" that are presented to the service auditor conducting the actual SSAE 16 engagement.  Lastly, the written assertion can simply be included within the actual description of the service organization's "system" or attached to the description of the system itself.

For assistance in helping develop a description of its system along with a written assertion by management, please contact a well-qualified, PCAOB CPA firm that specializes in SSAE 16 and ISAE 3402 compliance.