An SSAE 16 Type 2 Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls".
SSAE 16 Type 2 Reports will include the following content:
- A description of the service organization's "system".
- A written assertion from management of the service organization that fairly presents the service organization’s system as designed and implemented throughout the specified period, and that the controls related to the control objectives stated in the description of the “system” for the service organization were suitably designed to achieve the control objectives as of the specified period.
- A service auditor’s assurance report.
Please keep in mind that the official SSAE 16 Type 2 Report, officially known as "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls", may be called any number of the following phrases:
- SSAE 16 Type 2 "Compliance" or "Compliant"
- SSAE 16 Type 2 Service Auditor's Report
- SSAE 16 Type 2 "Report" or "Reporting"
- You many even here the phrases "SSAE 16 Certified" or "SSAE 16 Certification", which are incorrect, as the AICPA SSAE 16 standard is not a certification, nor does it result in a service organization being certified. The correct representation would be that your organization is compliant with the SSAE 16 attestation standard, and as such, your organization has been issued an SSAE 16 Type 1 or Type 2 report for evidentiary matter.
Service organizations that are new to the reporting requirements for SSAE 16 would highly benefit from an SSAE 16 Readiness Assessment; a proactive consultative engagement which greatly assists the overall process.
Contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to receive a competitive, fixed fee for all your SOC 1 SSAE 16 and SOC 2 compliance needs.
Author: Charles Denyer