Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

SSAE 16 - An Introduction

SOC Examinations

In 2001, an international effort began to “converge” the disparate accounting standards of the world in order to provide a framework that better meets the demands of globalization. The various national standard setting boards have spent years cooperatively developing a single set of international standards to which countries are encouraged to adopt. In the United States, the American Institute of Certified Public Accountants (AICPA) is actively revising and re-codifying many US accounting standards to better align with these new international standards.

In April 2010, the AICPA issued Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, as the substantially equivalent US attestation standard to the new international standard for service organization reporting, International Standard on Assurance Engagements (ISAE) 3402. The international standard used the existing SAS 70 audit standard as its basis and incorporated changes. SSAE 16 uses ISAE 3402 as its basis, but includes some relatively minor differences. Both of the new reporting standards are very similar to the existing SAS 70 standard.

Key points for service organizations to consider:

  • SSAE 16 does not significantly change the service organization reporting process. The effort required to transition to the new standard should be minimal from the service organzation’s perspective.
  • SSAE 16 must be adopted for Type 1 report dates, or Type 2 review periods, ending on or after June 15, 2011. The standard may be adopted early, but there are significant indications that few service organizations intend to do so.
  • Service organizations must consider whether the risks that threaten the achievement of the control objectives stated in their system description are identified and ensure that the controls described in the system description sufficiently mitigate those risks. Although there is no requirement that this procedure be formal or documented, it is highly advisable to update the risk assessment section of the report as evidence of compliance with this requirement.
  • The most significant change to the report content is a required section known as a “management assertion” in which management of the service organization is required to provide a written assertion in the body of the report about the fair presentation of the description of the service organization’s system, the suitability of the design of the controls, and in the case of a Type 2 report, the operating effectiveness of the controls. Similar to opinion letter language, management assertion language is standardized.
  • Service organizations may only utilize the “inclusive” reporting method if the subservice organization provides a similar management assertion and a written representation letter. In all likelihood, this change will result in a significant reduction in the application of the inclusive reporting method.
  • Whereas the SAS 70 standard was a single standard that accounted for the performance of a SAS 70 audit by a service auditor, as well as the use of a SAS 70 report by a user entity and user auditor, SSAE 16 is only the attest standard for reporting on controls at a service organization. A separate audit standard will be issued to provide guidance on the use of a SSAE 16 by user entities and user auditors.

A transition is coming and it will require some thoughtful consideration by service organizations. Service organizations are encouraged to begin discussing the impact of the transition with their CPA firm. An experienced service auditor will identify the impact of the changes on a particular audit and assist the service organization in achieving a seamless transition. And of course, service organizations can always obtain further guidance by contacting our team at www.schellman.com.

About CHRIS SCHELLMAN

Chris Schellman is the CEO and Founder of Schellman, which is an accredited CPA Firm, PCI QSA Company, ISO 27001 Registrar, FedRAMP 3PAO, and a HITRUST CSF Assessor. He began his career focusing on IT audits and SAS 70’s and has now contributed to nearly 2,000 SOC examinations.