The AICPA has officially published "Statement on Standards for Attestation Engagements - Reporting on Controls at a Service Organization", which now becomes the essential guide for all parties interested in learning more about the SSAE 16 AICPA attestation standard. And though the guide is extremely helpful to many practitioners, it can seem a little dry to the average reader. With that said, let's pull out what are considered the essential and critical points from this publication in hopes of giving individuals a comprehensive and thorough understanding of SSAE 16. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance
Remember, this new attest standard, which became effective for reporting periods ending on or after June 15, 2011, was significant indeed, as it effectively replaced the long-standing SAS 70 auditing standard. Take note of the following points, provided to you by NDB Accountants & Consultants, a nationally recognized PCAOB CPA firm specializing in SSAE 16 (SOC 1), SOC 2 and SOC 3 reporting.
1. Why a New Standard? A number of issues came about that really required a thorough restructuring regarding third-party reporting on controls at service organizations, such as the changing landscape of service organizations themselves, the migration towards globally accepted accounting principles, etc. Read more.
2. The Written Statement of Assertion. Unlike SAS 70, SSAE 16 requires management to provide a written statement of assertion (i.e., also called a number of other terms, such as the "written assertion", "management's assertion", etc.). It is essentially where management asserts to a number of clauses and provisions. Read More.
3. The Description of its "system". SSAE 16 reporting on Controls at a Service Organization also requires management to provide a description of its "system", which is essentially the following:
the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. Read more.
4. Subservice Organization Reporting. If you're a service organization that actually outsources to yet another service organization, there may very well be "subservice organization" reporting requirements, such as the carve-out method and the inclusive method. Read more.
5. What is AT 101. This little-known professional standard is catching some attention as of late because it's the AICPA standard for which SOC 2 and SOC 3 reports utilize. Read more.
6. The AICPA SOC Alphabet. Confused by SOC 1, SOC 2, SOC 3, SSAE 16, AT 101, the Trust Service Principles (TSP) and other acronyms used by the AICPA in launching the Service Organization Control (SOC) reporting framework? Well, you're not alone, but let's try and clear the air on this. Read more.
7. The Internal Audit Function. Yet another topic that's not well-known when it comes to SSAE 16 reporting on Controls at a Service Organization. In short, the internal audit function "can" play a pivotal role in SSAE 16 Type 1 and Type 2 reporting. Learn more.
8. The Concept of "Monitoring". Learn about what monitoring truly means for SSAE 16. Read more.
9. ISAE 3402. There's an international equivalent to SSAE 16 reporting on Controls at a Service Organization, and it's called ISAE 3402. It's important to gain a solid understanding about ISAE 3402. Read More.
10. SAS 70 vs. SSAE 16. Though a dying story, due in large part because SAS 70 is now a historical auditing standard, it's still important to note some of the key differences between SAS 70 and SSAE 16, as not all organization have made the transition yet. Read more.
Is your organization seeking to become SSAE 16 Type 1 or Type 2 compliant? If so, contact NDB today for a competitive, fixed fee for all SOC 1, SOC 2 and SOC 3 reporting options. Contact Christopher G. Nickell, at 1-800-277-5415, ext. 706 or Charles Denyer, at 1-800-277-5415, ext. 705 today.