SSAE 16 audit requirements can best be explained in two distinct ways – first, providing a comprehensive overview of the actual SSAE 16 standard itself – then discussing the actual requirements that must be met for ensuring compliance with Statement on Standards for Attestation Engagements (SSAE) no. 16. With that said, let’s step back and learn about the evolution of SSAE 16, which begins with a discussion on the following subject matter:
Understand the Evolution of SSAE 16. The AICPA SSAE 16 attestation standard essentially replaced the aging and antiquated SAS 70 auditing standard that had been in use for approximately 20 years. From April of 1992, to June 15, 2011, SAS 70 was the dominant, global de facto compliance mandate for reporting on controls at service organizations. But twenty years with one standard – and one that never really went through any major revisions – is a long time indeed, thus the AICPA began planning for big changes, which ultimately led to the pronouncement of SSAE 16, which became an important component of the AICPA Service Organization Control (SOC) reporting framework.
Learn about the AICPA SOC framework. After years of faithful service, the SAS 70 auditing standard was effectively superseded by not only the SSAE 16 attestation standard, but a completely new framework for reporting on controls at service organizations. Known as Service Organization Control (SOC) reports, the SOC framework is a radical departure from the one-size-fits-all approach held by SAS 70 for approximately twenty (20) years. In short, with three reporting options – SOC 1, SOC 2, and SOC 3 – service organizations have more flexibility and more choices regarding third-party assessments of their control environments. While SOC 1 has quickly become the dominant reporting option, SOC 2 and SOC 3 are extremely viable, especially for many of today’s technology companies.
Choosing between SSAE 16 Type 1 or Type 2 Reporting. SOC 1 SSAE 16 reporting offers two options – Type 1 or Type 2 reporting for service organizations. The general trend is for any organization new to third-party reporting of their internal control environment, to begin with an SSAE 16 Type 1 report, followed up by subsequent SSAE 16 Type 2 reporting. Type 1 reporting is merely a “snapshot” in time – a specific day, while SSAE 16 Type 2 reporting covers what’s known as a “test period”, which is generally a minimum of six (6) months, but also that of eight, ten, or even twelve months. And because the “test period” provides much more insight and overall assurances of a service organization’s control environment, it’s seen as the much more credible reporting option.
Develop a Description of its “system”. One of the most important components of all the SSAE 16 audit requirements is for management to develop a description of its “system” – specifically - “the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.” If you’re new to SSAE 16 compliance, then a competent and well-qualified PCAOB CPA firm can assist with this requirement. Writing a thoughtful and comprehensive description of one’s “system” can take considerable time – but remember –it’s an absolute requirement for SOC 1 SSAE 16 Type 1 and Type 2 reporting.
Go to Part II of the SSAE 16 Audit Requirements whitepaper.
Obtain a fixed-fee for all your SOC 1 SSAE 16 needs today. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 or email him at email@example.com. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.