SSAE 16
Overview
Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations. SSAE 16 was formally issued in April 2010 with an effective date of June 15, 2011.
SSAE 16 was drafted with the intention and purpose of updating the US service organization reporting standard so that it mirrors and complies with the new international service organization reporting standard – ISAE 3402.
For service organizations that currently have a SAS 70 service auditor’s examination (“SAS 70 audit”) performed, some changes will be required to effectively reporting under the new SSAE 16 standard.
Benefits
Service organizations can receive significant value from having a SSAE 16 examination performed. A Service Auditor's Report with an unqualified opinion that is issued by an Independent Auditing Firm differentiates the service organization from its peers by demonstrating the establishment of control objectives and effectively designed control activities. A Service Auditor's Report can also help a service organization build trust with its user organizations (i.e., customers).
Without a current Service Auditor's Report, a service organization may have to entertain multiple audit requests from its customers and their respective auditors. Multiple visits from user auditors can place a strain on the service organization's resources. A Service Auditor's Report ensures that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor's requirements.
SSAE 16 engagements are generally performed by audit, risk, and control oriented professionals who have experience in accounting, auditing, and information security. A SSAE 16 engagement allows a service organization to have its control policies and procedures evaluated and tested (in the case of a Type II engagement) by an independent party. Very often this process results in the identification of opportunities for improvements in many operational areas.
Reports
One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor's Report. There are two types of Service Auditor's Reports: Type I and Type II.
A Type I report describes the service organization's description of controls at a specific point in time (e.g. June 30, 2012). A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period (e.g. January 1, 2012 to June 30, 2012). The contents of each type of report is described in the following table:
| Report Contents | Type I Report | Type II Report |
| 1. Independent service auditor's report (i.e. opinion). | Included | Included |
| 2. Service organization's description of its system (including controls). | Included | Included |
| 3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests. | Optional | Included |
| 4. Other information provided by the service organization (e.g. glossary of terms). | Optional | Included |
In a Type I report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented as of a specific date; and (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives - also as of a specified date.
In a Type II report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented throughout the specified period; (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed throughout the specified period to achieve those control objectives; and (3) whether the controls related to the control objectives stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives.
History
While "SAS 70" has become a well-known acronym representing an in-depth audit of a third-party service organization, the original Statement on Auditing Standards (SAS) No. 70 is actually one of many periodic statements issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). These periodic statements generally involve the modification of existing auditing standards or the introduction of new auditing standards. With the passage of the Sarbanes-Oxley Act of 2002, the Public Company Accounting Oversight Board (PCAOB) will also issue auditing standards for public companies (i.e., registrants of the SEC) on a go-forward basis.
In April 2010, the AICPA published a new Attestation Standard, SSAE No. 16, to supersede the existing guidance (SAS 70) for performing an examination of a service organization's controls and processes.
The auditor's consideration of an entity's internal control and the impact a service organization may have on the entity's control environment has long been an area of focus in designing an acceptable audit approach. The following table summarizes some of the Statements relative to internal control, the effect of information technology on a financial statement audit, and service organizations, that have been made since the very first Statement on Auditing Procedure (SAP) in 1939.
| Statement | Date Issued | Title of Statement |
| SAP No. 29 | October 1958 | Scope of the Independent Auditor's Review of Internal Control |
| SAP No. 41 | November 1971 | Reports on Internal Control |
| SAP No. 54 | November 1972 | The Auditor's Study and Evaluation of Internal Control |
| SAP No. 3 | December 1974 | The Effects of EDP on the Auditor's Study and Evaluation of Internal Control |
| SAS No. 44 | December 1982 | Special-Purpose Reports on Internal Accounting Control at Service Organizations |
| SAS No. 48 | July 1984 | The Effects of Computer Processing on the Audit of Financial Statements |
| SAS No. 55 | April 1988 | Consideration of Internal Control in a Financial Statement Audit |
| SAS No. 70 | April 1992 | Service Organizations |
| SAS No. 78 | December 1995 | Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55 |
| SAS No. 88 | December 1999 | Service Organizations and Reporting on Consistency |
| SAS No. 94 | May 2001 | The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit |
| PCAOB No. 2 | March 2004 | An Audit of Internal Control over Financial Reporting in Conjunction with an Audit of Financial Statements. Note: Appendix B refers to Service Organizations. |
| PCAOB No. 5 | May 2007 | An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements. Note: Appendix B17-B17 covers Service Organization considerations. |
| ISAE No. 3402 | December 2009 | Assurance Reports on Controls at a Service Organization |
| SSAE No. 16 | April 2010 | Reporting on Controls at a Service Organization |
Additional Information
- Additional information on SSAE 16 and Service Organization Control reports can be viewed at the AICPA's new web page.
- You can order a copy of SSAE 16 from the AICPA's online store - publication number 023035.
External Links
- Official web site of the International Auditing and Assurance Standards Board.
- Official web site of the American Institute of Certified Public Accountants.
- An on-line repository of audit tools, resources, and useful links. The site includes sample work programs for financial, operational, and technology related audits.
- Official web site of the Canadian Institute of Chartered Accountants.
- AICPA web site where you can order publications including auditing standards, guidance, and the SAS 70 auditing practice release.
- Official web site describing the AICPA's web trust service.
- Official web site of the Information Systems Audit and Control Association. Information on the Certified Information Systems Auditor (CISA) certification.
- The IT Governance Institute web site. Home of the Control Objectives for Information and related Technology (CobIT).
- A web based portal devoted to IT auditing and security. Please note that the site is programmed in German only.
- Home page for the newly formed Public Company Accounting Oversight Board.
- Securites and Exchange Commission home page.
- An informational resource on the SAS 70 Auditing Standard.
- An informational resource on the ISAE 3402 Assurance Standard.