SSAE 16
Overview
Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations. SSAE 16 was formally issued in April 2010 with an effective date of June 15, 2011.
SSAE 16 was drafted with the intention and purpose of updating the US service organization reporting standard so that it mirrors and complies with the new international service organization reporting standard – ISAE 3402.
For service organizations that currently have a SAS 70 service auditor’s examination (“SAS 70 audit”) performed, some changes will be required to effectively reporting under the new SSAE 16 standard.
Reports
One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor's Report. There are two types of Service Auditor's Reports: Type I and Type II.
A Type I report describes the service organization's description of controls at a specific point in time (e.g. June 30, 2012). A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period (e.g. January 1, 2012 to June 30, 2012). The contents of each type of report is described in the following table:
Report Contents | Type I Report | Type II Report |
1. Independent service auditor's report (i.e. opinion). | Included | Included |
2. Service organization's description of its system (including controls). | Included | Included |
3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests. | Optional | Included |
4. Other information provided by the service organization (e.g. glossary of terms). | Optional | Included |
In a Type I report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented as of a specific date; and (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives - also as of a specified date.
In a Type II report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented throughout the specified period; (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed throughout the specified period to achieve those control objectives; and (3) whether the controls related to the control objectives stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives.