SSAE 16
The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of auditing standards and guidance on using the standards, published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), for redefining and updating how service companies report on compliance controls. SSAE 16 was released in April 2010 as the reporting standard for all service auditors' reports and was issued to replace the Statement on Auditing Standards No. 70 (SAS 70). SSAE 16 was superseded by an updated set of auditing standards, SSAE 18, on May 1, 2017.
Auditors use SSAE 16 as a guide when creating two specific audit reports: The first is a snapshot to reflect the status of an organization's controls on a particular day, and the second is to incorporate historical data that reflects how controls have changed over time. Auditing standards, like SSAE 16, are used by auditors to guide the discovery of controls, including security controls, in all types of organizations, such as data centers, internet service providers (ISPs) and other entities that incorporate information security controls. The use of such standards is important in order to help both organizations and auditors in demonstrating information security compliance with regulations, such as Sarbanes-Oxley (SOX).
A main difference between SSAE 16 and SAS 70 is that SSAE 16 requires the management of the service company to provide a written assertion to the auditor stating its description accurately represents its organizational system. The organization's system description consists of the services provided by the organization and any and all operational activities that affect the service's customers. In addition, the organization must also assert that its description honestly describes its control objectives and the time period in which they are meant to be evaluated.
SSAE 16 requirements
SSAE 16 further differs from SAS 70 as it verifies controls and processes, along with requiring verification for both design and operating effectiveness. This is accomplished through two types of SSAE 16 audits. The first audit (Type 1) occurs when the accuracy of a service provider's description and assertion is tested by auditors. The second (Type 2) is when the first audit is combined with the implementation and effectiveness of the controls for a specific period of time.
SSAE 16 is designed for service organizations and is often required by the client in order to gain insight into the company. This certification is gained after a company has had an audit of internal controls at a service organization that may relate to their client's internal control over financial reporting.
What is in the SSAE 16 report?
Along with the two types of audits, the report also contains a framework that examines the controls of a service organization that are established by three Service Organization Control (SOC) reports. SOC 1 contains internal controls over financial reporting, which is used by auditors and office controllers. SOC 2 reports cover security, processing integrity, privacy controls, confidentiality and availability. This is used by regulators and management, and it is shared under a nondisclosure agreement (NDA). The final SOC report -- SOC 3 -- outlines the same topics as SOC 2, but it is used by anyone and is publically available.
SSAE 16 certification
The need for SSAE 16 certification differs from enterprise to enterprise and depends on the goal of the company. For example, if a company runs a data center that provides internal resources for employees on product development, then SSAE 16 certification might not be needed. However, if the goal is to serve a wide range of customers, then a certification could benefit the enterprise. This is based on the idea that some customers may have strict security or confidentiality requirements for their data and insist that their service providers hold SSAE 16 certification.
While this certification does not stand as a symbol for exceptional service, it enables customers to recognize the service provider as meeting a minimum set of standards within the industry. SSAE 16 certification is focused on customers' business requirements rather than the needs of the business servicing those customers. Therefore, deciding whether to pursue the certification should be a matter of reviewing the provider's customer list to see if the enterprise could benefit by demonstrating compliance with the SSAE 16's guidelines.
SSAE 16 vs. SSAE 18
As of May 1, 2017, SSAE 18 is the new accounting standard to address and clarify concerns about the clarity, length and complexity of several existing AICPA standards. SSAE 18 also combines multiple prior SSAEs that differ from SSAE 16, inasmuch as SSAE 16 was mainly used for SOC 1 reports -- SSAE 18 refers to many types of attestation reports other than SOC 1.
SSAE 18 further helps establish a baseline of requirements and provides application guidance for auditors who are performing or reporting on exams, reviews and procedures engagements. SSAE 18 replaces SSAE 16, as well as its standards, putting them into a combined standard. It should be noted that, just as with SSAE 16 and SAS 70, SSAE 18 certification is the name of the standard practiced by auditors.
SSAE 18 places a high priority on accurately disclosing the relationship between a service organization and a subservice organization. SSAE 18 further requires service organizations to provide service auditors with a risk assessment in order to highlight key internal risks; the risk assessment ensures the organization's controls are regularly reviewed, appropriate risks are addressed and updates are made to mitigate risks.
Finally, SSAE 18 addresses the need for monitoring controls at subservice organizations as service organizations must examine subservice organizations more often than just during the purchase evaluation process.