SSAE 16 Resource Guide Blog

Recent blog posts

Obtain a PCI security awareness training PPT for download today from the industry leaders in Payment Card Industry (PCI) security awareness and training, that's  You'll receive an in-depth, industry leading PCI security awareness training PPT, along with numerous other additional documents for helping put in place best practices for educating your employees on critical security issues and best practices.  Additionally, if your organization needs to become PCI DSS compliant, then contact NDB Advisory today for high-quality, yet cost-effective PCI DSS compliance services.

Texas HB 300 training requirements include employee and workforce member training for all Texas covered entities. It's without question a comprehensive piece of legislation that's fundamentally even more strict than the federally mandated HIPAA requirements. The solution recommended is  SSAE 16 reporting requirements are also now becoming an essential compliance mandate for many Texas covered entities, so learn more about SSAE 16 from the Official SSAE 16 Resource Guide, developed by NDB Accountants & Consultants.

Need a quick SSAE 16 summary or primer on the new standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA)? If so, take note of the following SSAE 16 summary areas: 1. SSAE 16 has effectively replaced SAS 70. SAS 70, which was put forth in April of 1992 is no longer an auditing standard in use.  This is critically important as it represents one of the most significant changes in reporting on controls for service organizations. For the first time in almost twenty years, we have a new "attest" standard for reporting. 2. SSAE 16 is part of a much bigger, broader change.  That's right, not only did SSAE 16 replace SAS 70, but an entirely new reporting platform for service organizations has been introduced. Known as Service Organization Control (SOC) reports, organizations can now opt for SOC 1, SOC 2, and/or SOC 3 reporting. 3. Learn about the new SOC reporting options. The new AICPA alphabet of reporting on controls at service organizations can seem a little confusing, but for an ounce of clarity, try and remember the following for your SSAE 16 summary primer:

  • SOC 1 reports are to use the SSAE 16 standard and should generally be issued when there is a true and credible link or "nexus" to the internal control over financial reporting (ICFR) concept.
  • SOC 2 and SOC 3 reports are a great choice for the growing number of cloud computing and Software as a Service (SaaS) based entities.

4. Learn about the written statement of assertion and the description of the service organization's "system".  In short, the written statement of assertion requires management to effectively "assert" to a number of clauses regarding the actual assessment performed by a practitioner (i.e., CPA). Additionally, the description of the "system" requires management of the service organization to comprehensively document their "system". That's a brief SSAE 16 summary for you, thus if you want to learn more about Statement on Standards for Attestation Engagements No. 16, visit the official SSAE 16 Resource Guide, developed by NDB Accountants &  Consultants, a nationally recognized PCAOB CPA firm. Lastly, if you are in need of SSAE 16 services at a competitive, fixed-fee, contact NDB directly at 1-800-277-5415, ext. 706.

SSAE 16 Certification is a phrase I keep hearing over and over again. It’s not really a huge issue, but for an ounce of technical clarity, there is no such thing as SSAE 16 certification, just as there was no such thing as SAS 70 certification.  Both of these phrases were born out of a true misunderstanding of the historical SAS 70 auditing standard and the current SSAE 16 attest standard.  Technically speaking, SSAE 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), for which a practitioner (i.e., service auditor) uses the standard to perform an attest engagement for a service organization, resulting in the issuance of a service auditor’s report on controls.  There is no designation, certification, award, confirmation, or any other type of validation for an actual SSAE 16 assessment. It’s best to summarize that a service organization simply undertakes an assessment in accordance with the SSAE 16 standard, resulting in the issuance of report with a stated opinion, generally unqualified, by a CPA firm as part of the report. So, if you hear the term SSAE 16 certification, you can politely remind your colleagues or other interested parties that this technically incorrect. With that said, if your organization is seeking a well-qualified, cost-effective provider for SSAE 16 assessment services, then contact NDB Accountants & Consultants, a nationally recognized PCAOB CPA firm, at 1-800-277-5415, ext. 706. Additionally, if you want to learn more about SSAE 16, visit the official SSAE 16 Resource Guide, developed by NDB, where you can learn more about the following essential information:

Sure, this site is all about SSAE 16 and the new SOC standards, but I wanted to take this time and give you a link to a really neat site. If you love animals, especially dogs, like I do, then please check out the Official German Shepherd Resource Guide.  This is a wonderful site with a wealth of information on one of the world's most admired dog breeds. I hope you enjoy it.  Thanks!

Service Organization Control (SOC) Reports, more commonly known as SOC 1, SOC 2, and SOC 3, as you may or may not be well aware of by now, represent the new framework put forth by the American Institute of Certified Public Accountants (AICPA) for reporting on controls at service organizations.  SOC 1, is essentially tied to service organizations for which reporting is ICFR based, that is, internal controls related to financial reporting. SOC 2 and SOC 3, however, represent a sincere  and genuine attempt by the AICPA to meet the growing demands and complexities of reporting on controls for service organizations OUTSIDE that of ICFR. In essence, it's a move to correct the misguided efforts by many who used the SAS 70 standard in an incorrect manner. Will it work? Well, the early signs are not that encouraging as I've seen recent press releases for data centers and managed services entities becoming SSAE 16 "certified" or "compliant". And by the way, the terms "certified" and "compliant" are grossly incorrect, for which you can learn more about how this has really irked the AICPA. Did they simply forget about SOC 2 and SOC 3? Are their clients simply sold on the merits of out with one standard (SAS 70), in with the new (SSAE 16), without being educated on the SOC framework? Have we as CPA's along with the AICPA not done enough to educate service organizations? Well, I think it's a little of everything.  I'm still hopeful that this "problem" will correct itself. I can already see the technical arguments, or rather, excuses, for issuing a SSAE 16 Type 1 or Type 2 report for a data center, managed services entity, or some other cloud type infrastructure....and here they are: "Well, that's what our clients wanted, so we used the SSAE 16 standard". Or how about this one, for which I"m hearing alot of: "Hey, if the controls are "likely relevant" to ICFR, then we can issue an SSAE 16 Type 1 or Type 2".  Or, the one that takes the cake is this one: Nobody is taking SOC 2 and AT Section 101 seriously yet, so for now, I'll just fall in line and do what most other firms are doing and going right from SAS 70 to SSAE 16".

SOC 3 Reports also address Reporting on Controls relevant to Security, Availability, Processing integrity, Confidentiality, and Privacy in accordance with general predefined criteria within theTrust Service Principles.  Please note that these reports are to be prepared using the AICPA and the Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The framework for the Trust Services Principles has been around for quite some time, yet curiously, never really caught on as many would of imagined.  Lastly it is considered a general use report and comes with a public seal.  And much like SOC 2 reports, SOC 3 reports also use AT Section 101 as the professional standard for service auditor guidance.   It will be interesting in the coming years how notable SOC 3 reports become in comparison to SOC 1 and SOC 2 reports.

To learn more about SOC 3 reporting standards and all other regulatory compliance services provided, please contact Chris Nickell, CPA, at 1-800-277-5415, ext. 706.

SOC 2 reports, which will come to be known as Reporting on Controls Relevant to Security, Availability, Processing integrity, Confidentiality, and Privacy, are to be conducted in accordance with AT Section 101. Thus, SOC 2 will effectively insert itself as the primary reporting option to be used for service organizations reporting on controls outside the scope of financial reporting.  In simpler terms, Software as a Service (SaaS) companies, software development entities, cloud computing organizations, data centers, managed services, and many more, will be using the SOC 2 framework for reporting on controls.  And much like SOC 1 reporting, a service organization can either be issued two (2) type of SOC 2 reports, a Type 1 and a Type 2.

If you stop and think about it, this is quite significant for a number of reasons.  First and foremost, the SOC 2 framework is specifically geared towards the exponential growth of technology and security related service organizations, of which many provide outsourcing services to user entities.  Second, it hopefully will correct a huge misunderstanding within the business community at large; the myth that SAS 70 was an all-in-one reporting standard for any type of service organization.  As you now know, this is simply untrue and we now have an acceptable and viable reporting option for controls outside the scope of financial reporting.

Lastly, SOC 2 reports are designed to address generally the following key system attributes and traits:

  • Availability: That the system is available for operation and use as committed or agreed.
  • Security: That the system is protected against unauthorized access, both physically and logically.
  • Processing Integrity: That System processing is complete, accurate, timely, and authorized.
  • Confidentiality: That the information held by an organization is securely protected.
  • Privacy: That personal information is protected.

As a service organization, you will need to evaluate your current compliance requirements and commitments to your customers and start to ask yourself what reporting option do "we" fall under, SOC 1, SOC, or even SOC 3?  If you have been receiving SAS 70 audit reports from your CPA firm in the past, what do your customers expect in the future?  More importantly, what is the correct SOC reporting framework that "we" should adhere to?  NDB Accountants and Consultants can help answer these pressing questions regarding the new compliance requirements with the SOC framework. 

When you add it all up, phrases like SOC 1, SOC 2, SOC 3, SSAE 16, and AT Section 101 can become quite confusing. Get the facts and speak to an expert. Call Chris Nickell, CPA, directly at 1-800-277-5415, ext. 706 to get the answers you need.  Furthermore, you can email Chris at

Powered by EasyBlog for Joomla!


Your Trusted Provider for SSAE 16 Compliance

  • Vast Experience Across Numerous Industries and Sectors
  • Fixed Fee Engagements for SSAE 16 Reports
  • Nationally Recognized PCAOB CPA Firm