Statement on Standards for Attestation Engagements (SSAE) No. 16, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Specifically, SSAE 16 is an attestation standard geared towards addressing engagements conducted by practitioners (known as "service auditors") on service organizations for purposes of reporting on the design of controls and their operating effectiveness. As such, SSAE 16 engagements conducted by service auditors on service organizations will result in the issuance of either a SSAE 16 Type 1 or Type 2 Report.

A Type 1 report is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design of Controls", or simply known as an SSAE Type 1 report.

Regarding a Type 2 Report, it is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design and Operating Effectiveness of Controls", or simply known as an SSAE Type 2 report.

A Much Needed Change for Reporting on Intenal Controls

SSAE 16 has effectively replacing SAS 70 as the primary standard for reporting on controls at service organizations. SAS 70, an auditing standard put forth in 1992 by the AICPA, has been a highly valuable and globally accepted framework and one that has been amended a number of times for helping keep pace with the growing changes in regulatory compliance. Even so, limitations within the SAS 70 framework prompted the Auditing Standards Board of the AICPA to put forth a new standard, one with an "attest" function, and one that closely mirrors the international standard on reporting on controls at service organizations - ISAE 3402.

The Emergence of SOC 2 Audits

Service organizations should not be alarmed that SSAE 16 is replacing SAS 70, primarily because many of the requirements and overall elements within SSAE 16 are essentially similar to that of SAS 70, with some notable exceptions. The two biggest changes being brought forth by SSAE 16 is that  Management must provide the service auditor with a (1).Description of the service organization's "system" along with (2). a written assertion. Also, keep mind that SOC 2 audits are now becoming widespread in terms of use and adoption, particularly for technology oriented companies.  While SSAE 16 SOC 1 focus on internal controls relating to financial reporting, SOC 2 audits are geared towards the likes of data centers, ISPs, SaaS/cloud computing vendors, etc. It's a much needed change in service organization control reporting, so continue to expect tremendous growth for SOC 2 audits.

Talk to the SOC 1 and SOC 2 Compliance Experts Today at NDB

Today’s regulatory compliance landscape can be extremely expensive and demanding, and that’s exactly why service organizations all throughout North America are turning to the proven, trusted professionals at NDB. We offer a complete line of services and solutions, ranging from readiness assessments to policy writing, remediation, along with performing SSAE 16 SOC 1, SOC 2, and SOC 3 audits, along with any other compliance assessments your business requires.  To learn more about NDB's SSAE 16 SOC 1 and SOC 2 services, along with obtaining a fixed-fee proposal, contact us today, or speak directly with Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at today.



Copyright © 2016 SSAE16. All Rights Reserved.
Joomla! is Free Software released under the GNU General Public License.