NDB also provides third party assurance reporting that may fall outside the scope of SSAE 16.

While the SSAE 16 standard is primarily geared towards reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting; there is also a need to report on controls outside that of financial reporting.

As such, the American Institute of Certified Public Accountants (AICPA) suggests that practitioners (i.e., service auditors) perform an Attest Engagement in accordance with AT Section 101.  Additionally, the AICPA is also very aware of the dramatic changes that information technology is having on the business arena as a whole and will be publishing additional information and helpful guides for meeting these needs.

Specifically, the AICPA will be putting for the following guide in 2011: Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.   This guide will help practitioners in reporting on controls for service organizations that are increasingly utilizing cloud computing services and other technology related platforms.

You can gain a greater awareness of the importance of AT Section 101 by fundamentally understanding the new AICPA SOC reporting framework, which consists of SOC 1, SOC 2 and SOC 3 reports.

If your organization is seeking third-party assurance reporting that may potentially fall outside the scope of an SSAE 16 attestation engagement, please contact NDB, a nationally recognized PCAOB CPA firm.