The SSAE 16 standard will be used for reporting on controls at service organizations, and as such, the term "service organization" is defined as an organization providing services to "user entities", for which these services are likely to be relevant to these user entities' internal control for financial reporting. Thus, the term "user entity" is simply an organization using the service of a service organization.

Clearly, the definition of a "service organization" for purposes of the SSAE 16 standard can seem somewhat technical and ambiguous, but what's more important to understand and grasp than the definition itself are the following:

• What are common examples of service organizations and the industries and business sectors they represent?
• Why are service organizations being required to become SSAE 16 compliant?
• What trends will play out in the coming years for service organizations regarding regulatory compliance requirements?

SSAE 16 compliance will no doubt require a large number of service organizations to undergo an examination for reporting on controls, ultimately resulting in the issuance of an SSAE 16 Type 1 or SSAE 16 Type 2 report. With that said, listed below are a sample of industries and business sectors that have undergone SAS 70 compliance and will also become prime candidates for the new SSAE 16 standard, or even possibly the ISAE 3402 standard.

• Software as a Service (SaaS)
• Application Service Providers (ASP)
• Credit Card Processing Platforms
• Cloud Computing | Virtualization | on demand Computing Services
• Internet Service Providers (ISP)
• Web Design and Development
• Web Hosting
• Social Media | Content Tagging and Aggregators
• Data Center and Co-Location Providers
• Managed Services
• Third Party Administrators (TPA) |
• Captive Providers
• Medical Billing
• Print and Mail Delivery
• Online Fulfillment
• Rebate Processing | Online and Mail
• Transportation Services
• Tax Credit and Empowerment Services
• Payroll Services
• Registered Investment Advisors (RIA)

In reality, there is a large and ever-growing list of industries and business sectors that are (and will be) considered service organizations for purposes of SSAE 16 compliance. The sheer growth in outsourcing, coupled with rigorous mandates for security, governance, and compliance will force more and more businesses to comply with the SSAE 16 third party reporting standard for service organizations.

If your business or entity is providing critical or material outsourcing services to another entity, then you may very well be called upon to become SSAE 16 compliant. From processing medical claims to providing data center services to clients, just to name a few, businesses are becoming more involved than ever with other entities, thus creating a true need for reporting on controls on service organizations with the SSAE 16 standard.

Of interesting note is the ISAE 3402 standard, the global standard for assurance reporting on service organizations. ISAE 3402 and SSAE 16 are highly similar, with few notable technical exceptions, and as such, many service organizations outside the North America may very well opt for ISAE 3402 compliance over SSAE 16 compliance. Ultimately, time will tell how the ISAE 3402 and SSAE 16 standards play out regarding adoption and overall acceptance throughout the globe.