Statement on Standards for Attestation Engagements (SSAE) No. 16, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Specifically, SSAE 16 is an attestation standard geared towards addressing engagements conducted by practitioners (known as "service auditors") on service organizations for purposes of reporting on the design of controls and their operating effectiveness. As such, SSAE 16 engagements conducted by service auditors on service organizations will result in the issuance of either a SSAE 16 Type 1 or Type 2 Report.
A Type 1 report is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design of Controls", or simply known as an SSAE Type 1 report.
Regarding a Type 2 Report, it is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design and Operating Effectiveness of Controls", or simply known as an SSAE Type 2 report.
SSAE 16 is effectively replacing Statement on Auditing Standards No. 70 (SAS 70) as the primary standard for reporting on controls at service organizations. SAS 70, an auditing standard put forth in 1992 by the AICPA, has been a highly valuable and globally accepted framework and one that has been amended a number of times for helping keep pace with the growing changes in regulatory compliance. Even so, limitations within the SAS 70 framework prompted the Auditing Standards Board of the AICPA to put forth a new standard, one with an "attest" function, and one that closely mirrors the international standard on reporting on controls at service organizations: ISAE 3402. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
Service organizations should not be alarmed that SSAE 16 is replacing SAS 70, primarily because many of the requirements and overall elements within SSAE 16 are essentially similar to that of SAS 70, with some notable exceptions. The two biggest changes being brought forth by SSAE 16 is that Management must provide the service auditor with a (1).Description of the service organization's "system" along with (2). a written assertion.
Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more about NDB’s competitive, fixed fees for SSAE 16 Type 1 and Type 2 reporting.
Author: Charles Denyer