SSAE 16 engagements undertaken by a service auditor are to be done so for the purposes of reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting. In simpler terms, SSAE 16 reports, much like the SAS 70 auditing standard, are focused on internal controls over financial reporting. The SSAE 16 standard has been very clear from the onset in describing the scope of this type of engagement for purposes of reporting and preparing SSAE 16 Type 1 and Type 2 reports. Thus, practitioners should perform an alternative engagement under AT section 101, Attest Engagements, when reporting on controls other than those related to internal control over financial reporting.

In recent years, the SAS 70 auditing standard became heavily used in ways it was never really intended for. As a report that was originally designed for auditor to auditor use (service auditor providing it to the user auditor), it quickly became an auditing framework used to report on controls outside the scope of financial reporting, with many businesses obtaining SAS 70 Type I and Type II compliance for marketing and business development reasons. With SSAE 16 superseding SAS 70, its seems plausible that service organizations and other interested parties will continue to obtain third-party validation for reporting on controls, with SSAE 16 or possibly ISAE 3402 being that mechanism. And though a report issued under the framework of AT section 101, Attest Engagements, may be the logical choice for many entities, it’ doubtful it will be pursued as AT 101 simply lacks any true recognition or acknowledgment by many who have come to rely on SAS 70 and will ultimately rely on SSAE 16 Type 1 and Type 2 reports.

With that said, however, the SSAE 16 standard, put forth by the Auditing Standards Board (ASB) of the AICPA, does clearly state that controls “likely” to be relevant to user entities’ internal control over financial reporting are to be included in the scope of an SSAE Type 1 or Type 2 engagement for purposes of reporting on controls. The “likely” phrase seems to provide the flexibility for including controls as needed for SSAE 16 reports.

And if practitioners find any limitations with the SSAE 16 standard, they have the option of utilizing the ISAE 3402 standard, which states the following: “…determination of whether controls at a service organization related to operations and compliance are likely to be relevant to user entities’ internal control as it relates to financial reporting is a matter of professional judgment…” Source: Basis for Conclusions: ISAE 3402, Assurance Reports on Controls at a Service Organization, December 2009.