The Statement on Standards for Attestation Engagements Number 16 (SSAE 16) was issued by the AICPA in April of 2010 for reporting on controls at a service organization. SSAE 16 supersedes the previous standard, SAS 70, and is effective for all reports on periods ending on or after June 15th, 2011. A service organization is considered any entity that provides a specific service for other entities. A user entity is any entity that outsources a task to a service organization. The application of SSAE 16 is specific to controls affecting the financial statements of a user entity and the resulting Service Organization Control 1 (SOC 1) report is not for general distribution. If your company requires a more general use report, please contact us regarding SOC 2 and SOC 3 reports and see the AICPA’s overview at:AICPA Overview
It is important to note that there are no SSAE 16 or SAS 70 certifications
SSAE 16 included several changes from SAS 70 (including usability of reports) which are outlined below:
Changes from SAS 70:
1. Auditors are now required to obtain management’s written assertion regarding the fairness of the presentation of the description of the organization’s systems (controls, processes, etc.) and the suitability of its design. Furthermore, if a Type 2 engagement is being performed, the assertion must also address the operating effectiveness of the controls that are being examined.
2. Auditors are required to identify any tests of controls performed by internal audit personnel as well as a describe procedures used to test controls.
3. Auditors are restricted from using evidence from prior engagements to reduce the scope of testing for the current engagement.
There are two varieties of SSAE 16 engagements
A Type 1 engagement, where the auditor reports on the fairness of the presentation of management’s description of the organization’s system and the suitability of the design of the controls to attain the related control objectives included in management’s description of controls as of a specific date. This report provides less assurance than a Type 2 report.
A Type 2 engagement includes Type 1 requirements and additionally requires the auditor to report on the operating effectiveness of the controls. This report provides greater assurance than a Type 1 report due to the testing of control effectiveness.