SSAE 16
What is SSAE 16?
SSAE 16, or the Statement on Standards for Attestation Engagements No. 16, is a set of auditing standards and guidance on using the standards published by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) for redefining and updating how service companies report on compliance controls.
SSAE 16 was released in April 2010 as the reporting standard for all service auditors' reports. It was issued to replace the Statement on Auditing Standards (SAS) No. 70. SSAE 16 was superseded by an updated set of auditing standards, SSAE 18, on May 1, 2017.
Auditing standards like SSAE 16 help auditors to guide the discovery of controls, including security controls in data centers, internet service providers and other entities.
Auditors used SSAE 16 as a guide when creating two specific audit reports. The first is a snapshot that reflects the status of an organization's controls on a particular day. The second incorporates historical data that reflects how controls have changed over time.
Compliance standards like SSAE 16 -- and others such as PCI DSS for financial information security; HIPAA, or the Health Insurance Portability and Accountability Act, for health data security; and ISO 27001 for cybersecurity controls -- help organizations and auditors demonstrate information security compliance with regulations, such as Sarbanes-Oxley.
SSAE 16 requirements
SSAE 16 was designed for service organizations. Their clients often required it and used it to gain insight into the service provider's internal controls. This certification is obtained after a service organization underwent a compliance audit of its internal controls, particularly those that relate to a client's internal financial reporting controls.
SSAE 16 was used to verify controls and processes, along with requiring verification for both design and operating effectiveness. This was accomplished through two types of SSAE 16 audits:
- SSAE 16 Type 1. This type was used to test the accuracy of a service provider's description and assertion.
- SSAE 16 Type 2. This one was used when the first audit was combined with the implementation and effectiveness of the controls for a specific period.
What is in the SSAE 16 report?
Along with the two types of audits, the SSAE 16 report also contained a framework examining the system and organization controls of a service provider that are established by three System and Organization Control reports. SOC 1 provides auditors and office controllers with insight into a service provider's internal controls over financial statements and reporting. Companies requiring this type of report could have outsourced business processes to a third-party service organization, so it's important for them to know that outsourced services can affect their internal controls.
SOC 2 reports must demonstrate adherence to standards in several areas, including security, processing integrity, privacy controls, confidentiality and availability. The evaluations are only shared with relevant parties or under a nondisclosure agreement. SOC 3 reports outline the same topics as SOC 2, but they are used by anyone and are publicly available.
| SOC 1 | SOC 2 | SOC 3 | |
| Uses | Outsourced services carried out by third parties that affect a user company's financial reporting | Outsourced services carried out by third parties related to compliance and operations | Outsourced services carried out by third parties related to compliance and operations |
| Who uses it | C-level executives and compliance officers | C-level executives and compliance officers, as well as relevant third parties and business partners | Any interested party can view |
| Included information | Assessment of the services performed by the third parties | Assessment of the services performed by the third parties | Same as SOC 1 and 2 but with less emphasis on controls the third party performs |
SSAE 16 certification
The need for SSAE 16 certification differed from enterprise to enterprise and depended on the goal of the company. For example, if a company ran a data center that provided internal resources for employees on product development, then SSAE 16 certification might not be needed. However, if the goal was to serve a range of customers, then a certification could benefit the enterprise. This was based on the idea that some customers might have strict security or confidentiality requirements for their data and insist that their service providers hold SSAE 16 certification.
The SSAE 16 certification wasn't a sign of exceptional customer support or success. Instead, it let customers know the service provider had met a minimum set of standards within the industry. The SSAE 16 standard focus was on customers' business requirements rather than the needs of the business servicing those customers. Therefore, deciding whether to pursue the certification was a matter of reviewing the provider's customer list to see if demonstrating compliance with the SSAE 16's guidelines would be useful.
SSAE 16 vs. SSAE 18
As of May 1, 2017, SSAE 18 became the new accounting standard to address concerns about the clarity, length and complexity of several existing AICPA standards. SSAE 18 combines multiple prior SSAEs that differ from SSAE 16, which was mainly used for SOC 1 reports. SSAE 18 refers to many types of attestation reports other than SOC 1.
SSAE 18 helps establish a baseline of requirements and provides application guidance for auditors involved in exams, reviews and procedure engagements. SSAE 18 replaces SSAE 16 and its standards, putting them into a combined standard. It should be noted that, just as with SSAE 16 and SAS 70, SSAE 18 certification is the name of the standard practiced by auditors.
SSAE 18 places a priority on accurately disclosing the relationship between a service organization and other service providers they work with. It requires service organizations to provide auditors with risk management and assessments to highlight key internal risks. Risk assessments ensure the organization's controls are regularly reviewed, appropriate risks are addressed and updates are made to mitigate risks.
SSAE 18 also addresses the need for service providers to monitor controls at other third-party organizations they work with. They must examine those organizations more often than just during the purchase evaluation process.
SSAE 16 vs. SAS 70
A main difference between SSAE 16 and SAS 70, which SSAE 16 replaced, is that SSAE 16 required the management of the service company to provide a written assertion to the auditor stating its description accurately represents its organizational system. The organization's system description must consist of the services the organization provides and all operational activities that affect the service's customers
The organization also had to assert that its description described its control objectives and the period in which they were meant to be evaluated. SSAE 16 further differed from SAS 70 in the way it verified controls and processes, along with requiring verification for both design and operating effectiveness.
Many enterprises have third-parties manage risk mitigation and management processes. Find out the benefits of this approach.
