SSAE no. 16 audits, which technically stand for "Statement on Standards for Attestation Engagements no. 16", include a healthy laundry list of items within an actual report (Type 1 and Type 2), so it's important to gain a stronger understanding of these items if your organization is seeking to become SSAE 16 compliant. And by the way, there's also a quick learning curve to get over regarding the alphabet of compliance reporting, which includes a number of different reports and their respective names. So let's get started with an in-depth examination of what's included in an SSAE no. 16 audit.
1. Distilling the AICPA alphabet: There's much to talk about regarding the American Institute of Certified Public Accountants' (AICPA) Service Organization Control (SOC) reporting framework, but we’ll be brief. Let's try and simplify it in the following manner: (1). SSAE no. 16 is the new professional standard (for reporting periods on or after June 15, 2011) for SOC 1 reporting. (2). AT Section 101 is the AICPA professional standard for SOC 2 reporting, while the SOC 3 reporting option, while it also technically uses AT Section 101, also incorporates the SysTrust | WebTrust Trust Services Principles (TSP). (3). In short, you have SOC 1, SOC 2 and SOC 3 reporting options under the AICPA Service Organization Control (SOC) framework, and with SOC 1 and SOC 2, you have options for Type 1 and Type 2 reports. Talk to a qualified CPA firm, who'll be able to also explain the SOC alphabet to you.
2. The Service Auditor's Report: Often called the "opinion letter", "Independent Auditor's Report" or any number of similar names, the "Service Auditor's Report" is a brief (approximately two pages), yet descriptive discussion regarding the scope of the report, test periods (if an SSAE no. 16 Type 2), type of opinion issued, and other related accounting jargon. It's written by the CPA firm issuing the SSAE no. 16 report, and for the most part, they are standard from one firm to another.
3. Written Statement of Assertion. Also called the "written assertion by management", "management assertion", etc, this is essentially a written statement by management "asserting" to a number of clauses, such as:
• That management's description of the service organization's "system" fairly presents the service organization's system that was designed and implemented at either a specific date (SSAE 16 Type 1 report) or implemented throughout a specified time period (SSAE 16 Type 2 report).
• Additionally, management must "assert" that the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives at either a specific date (SSAE 16 Type 1 report) or designed throughout a specified time period (SSAE 16 Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period.
• Management must also discuss the criteria used to effectively making these assertions, which again, are additional statements and supporting references regarding risk factors relating to controls and control objectives and (for a SSAE 16 Type 2 report) that the controls were consistently applied.
Lastly, the written statement of assertion is a new requirement that was not part of the SAS 70 reporting standard.
4. Description of the System. The description of the System for SSAE no. 16 is essentially "...the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities." In simpler terms, it constitutes a large part of a final SSAE no. 16 report as it generally includes numerous sections within it. And if you're curious, the historical SAS 70 auditing standard called for a "description of controls", which is generally perceived to be less comprehensive than the SSAE no. 16 "description of the system".
5. Other disclosures, test procedures, etc. SSAE no. 16 also includes section such as "User Control Considerations", "Test Procedures", "Tests of Operating Effectiveness and Results of Testing" (if a Type 2 report), "Additional Information", along with "Exceptions noted during testing" (if exceptions were found).
6. A final though on SSAE no. 16. It seems as if SSAE no. 16 has slowly taken on the role similar to that of SAS 70, and that it’s becoming the global de facto auditing standard for reporting on controls at service organizations. Sure, there are country | region and even an international standard (ISAE 3402) in place, but SSAE no. 16 seems to be rising to the top, much like SAS 70 did (and where it stayed for approximately 20 years; 1992 to 2011). And SSAE no. 16 is also being used for reporting on all types of service organizations, including many of technology service providers (i.e., data centers, software as a service (Saas), managed service providers, etc.) that were considered highly regarded candidates for SOC 2 reporting. This may change, however, as the SOC 2 auditing standard gains traction, but only time will tell.
Interested in receiving a fixed-fee quote for all your SSAE no. 16 compliance needs? Then contact Christopher G. Nickell at 1-800-277-5415, ext. 706 today.