Statement on Standards for Attestation Engagements (SSAE) No. 16 came about for a number of fundamental reasons, one of the most important being that of SSAE 16 to closely mirror and align itself with ISAE 3402, the globally accepted standard for reporting on controls at service organizations. The regulatory landscape has changed dramatically in recent years, forcing many service organizations to undergo an examination of their control environment. As such, Statement on Auditing Standards No. 70 (SAS 70), the U.S. standard for reporting on controls at service organizations, was well positioned to accommodate the needs of businesses for compliance reporting purposes, ultimately allowing it to play a dominant role, both regionally and internationally. However, its limitations forced changes, resulting in the issuance of SSAE 16, which effectively supersedes SAS 70 on or after June, 15, 2011.
Many of challenges facing SAS 70 that ultimately resulted in the formation of the new SSAE 16 attest standard include the following:
Global Accounting Standards
The consensus amongst the international accounting community has been that of moving forward with globally accepted accounting principles and standards, which is evident with ISAE 3402, the internal standard for reporting on controls at service organizations. It was clear that a revised U.S. standard would be necessary for keeping pace with these changes, hence SSAE 16 evolved to supersede SAS 70. Though there are a number of very subtle differences between SSAE 16 and ISAE 3402, they are essentially very similar with regard to their intent and overall framework.
Service Organization Reporting Requirements
The explosive growth in outsourcing has coincidentally resulted in a much greater reliance on independent, third-party audits for purposes of reporting on controls at service organizations. SAS 70 played a major, if not dominant role, in providing the framework for which service auditors would perform Type 1 and Type 2 engagements on service organizations. However, the original intent of the SAS 70 auditing standard was a report primarily used from auditor to auditor and one not geared towards the increasing requirements being put forth by a multitude of bodies, such as regulatory agencies, governmental entities, and other notable users of the report.
As a result, SSAE 16 now provides additional information for which intended users of this report can have greater confidence in the reporting of controls at service organizations. Specifically, SSAE 16 requires an in-depth description of the service organization’s "system" along with a written assertion by management. The written assertion was never required by SAS 70 and the description of the service organization’s system now requires management to place a greater emphasis on describing and documenting this system for the service auditor for purposes of SSAE 16 reporting. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
In short, SSAE 16 closely mirrors ISAE 3402, and in doing so, allows the U.S. standard to be well-positioned for effectively meeting the growing needs of reporting on controls at service organizations. Furthermore, SSAE 16 effectively removes any limitations that were starting to show with SAS 70.
Look upon the emergence of SSAE 16 and ISAE 3402 as a collaborative effort between two standards that greatly seek to bring about transparency and a high degree of consistency for reporting on controls at service organizations.
Author: Charles Denyer