The phrase "SSAE 16 Type II compliant" is used quite a bit these days by businesses in marketing themselves as an entity that's undertaken the rigorous assessment process with regards to the well-known AICPA attestation standard - SSAE 16. But what does "SSAE 16 Type II compliant" really mean - quite a bit - so NDB Accountants & Consultants (NDB) has provided the following list of helpful pieces of information and subject matter relating to Statement on Standards for Attestation Engagements (SSAE) No. 16.
1. The AICPA SOC Framework. SSAE 16 is actually the professional standard used for issuing SOC 1 reports in accordance with the American Institute of Certified Public Accountants' Service Organization Control (SOC) reporting framework, which consists of SOC 1 (SSAE 16) along with SOC 2 and SOC 3 (AT 101) reporting. Additionally, the SSAE 16 standard effectively replaced the aging and antiquated SAS 70 auditing standard that had been in use for approximately twenty (20) years.
2. Define Scope. Different CPA firms have different methods for auditing service organizations when it comes to SSAE 16 Type II compliant reporting, and that's because the SSAE 16 standard – unlike many other compliance initiatives (i.e. PCI DSS, HITRUST, etc.) is not "prescriptive" in nature. More specifically, it only comes with a lightly enforced framework, one that's open to wide interpretations from auditors, service organizations, and other interested parties. To be fair, it's to the advantage of the industry as a whole as service organizations can be radically different entities with completely different operational environments from one to the other. As a result, the SSASE 16 standard has to be flexible and adaptive, not prescriptive.
3. It's an Annual Commitment. While we will stop short of calling it an annual "requirement", customers and other intended users of SSAE 16 Type II reports will come to expect - and demand - such reporting on an annual basis. The "one and done" approach unfortunately does not work in today's world of growing regulatory compliance mandates.
4. There is NO Certification. I repeat, this is NOT a certification, a seal or any other type of designated certificate - it does not work that way. Specifically, SSAE 16 Type II compliant essentially means that a service organization has undergone attest procedures in accordance with the AICPA professional standard, resulting in the issuance of a service auditor's report. The phrase "SSAE 16 Type II compliant" - is a better statement than that of the incorrect "certification" verbiage.
5. Start with a Readiness Assessment. Not sure on where to begin if SSAE 16 reporting is being requested by customers and other parties - begin with a comprehensive and cost-effective SSAE 16 readiness assessment, one that covers all issues regarding an audit of this type. Crawling before you walk - as the old saying goes - is not a bad idea! Talk to the experts at NDB Accountants & Consultants today. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.