SSAE 16 thus brings about two important components that service organizations should readily understand for purposes of complying with Statement on Standards for Attestation Engagements (SSAE ) No. 16:
The description of its system should provide intended users of a SSAE 16 Type 1 or Type 2 with sufficient information to understand the services being provided to user entities. Therefore, the information should be comprehensive, accurate, well-presented, and covering all processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.
SSAE 16 Description of the "System" vs. Historical Descriptions
With that said, service organizations have historically presented a description of "controls" for Statement on Auditing Standards (SAS) No. 70, commonly known as SAS 70. So what's the difference between the SSAE 16 description of its "system" versus the SAS 70 description of "controls"? Many practitioners well-versed in SAS 70 and who are now learning more about the SSAE 16 framework have noticed that the actual AICPA publication on SSAE 16 provides a comprehensive listing of acceptable information for which a description of its "system" is asking for. This may very likely result in many service organizations having to re-visit, re-work, or substantially re-write many aspects of their prior, historical SAS 70 description of "controls". In summary, some service organizations may find only marginal changes are need, while others may feel compelled to significantly change the prior SAS 70 description of "controls" to meet the intent and rigor of the SSAE 16 description of its "system".
The Written Assertion by Management
Additionally, service organizations must now provide a written assertion by management for SSAE 16. This written assertion was not required by the AICPA SAS 70 auditing standard, but now becomes a fundamental requirement of the new attestation standard.
The written assertion is simply just that, a number of "assertions" that are presented to the service auditor conducting the actual SSAE 16 engagement. Lastly, the written assertion can simply be included within the actual description of the service organization's "system" or attached to the description of the system itself. For assistance in helping develop a description of its system along with a written assertion by management, please contact a well-qualified, PCAOB CPA firm that specializes in SSAE 16 and ISAE 3402 compliance. Looking for a competitive, fixed-fee for SSAE 16 and all your SOC 1, 2, and 3 reporting needs? Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.
NDB – North America’s Premier Provider of SSAE 16 SOC 1 Audits at Fixed-Fees
From coast to coast, NDB has been a leading provider of regulatory compliance services, offering outstanding solutions and services at fixed-fee pricing. With us, you’ll receive much more than just an audit, you’ll be given a complete team for supporting your audit from day one, that’s the NDB difference. Along with offering SSAE 16 SOC 1 audits, we also provide SOC 2 and SOC 3 assessment, PCI DSS compliance, and FISMA, DFARS, FAR, HIPAA, HITECH, and HITRUST reporting. Call and speak with Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at firstname.lastname@example.org today.