As for the SSAE 16 effective date, for reporting periods ending on or after June 15, 2011, SSAE 16 is the reporting standard to be utilized in accordance with the AICPA Service Organization Control (SOC) reporting framework. And though “early adoption” was allowed, few service organizations actually achieved compliance with this newly formed attestation standard. In short, say goodbye (as of June 15, 2011) to the historical SAS 70 auditing standard, and hello to not only SOC 1 SSAE 16 reporting, but also that of SOC 2 and SOC 3 reporting – two great options for many of today’s technology oriented service organizations.
And while the transition from SAS 70 to SSAE 16 has been relatively straightforward, there are new requirements and overall recommendations for which service organizations need to be aware of, such as the following:
Description of the System - Management of the service organization is required to develop a description of its "system", which, though similar to the historical SAS 70 auditing standard description of “controls”, is also seen as more comprehensive in nature
Written Statement of Assertion by Management - Management of the service organization must also effectively "assert" to a number of provisions and clauses regarding SSAE 16 Type 1 and Type 2 compliance.
SOC 2 and SOC 3 are Viable - Don't forget that for many of today's technology oriented service organizations, SOC 2 and SOC 3 (which incorporate the SysTrust and WebTrust Principles) are a great option when compared to SOC 1 SSAE 16 Type 1 and Type 2 reports.
Subservice Organizations are a Critical Component of Reporting - Service organizations themselves actually have other "service organizations" providing material services to them, hence – be on the lookout for subservice organizations as they play an important role in SSAE 16 Type 1 and Type 2 reporting.
A competent, well-qualified PCAOB CPA firm specializing in regulatory compliance should clearly be able to assist in all these matters regarding SSAE 16 reporting and the difference between SAS 70. And don’t forget that the SSAE 16 effective date is for reporting periods ending on or after June 15, 2011. So say goodbye to the SAS 70 auditing standard, and hello to Statement on Standards for Attestation Engagements (SSAE) no 16.
Other notable information regarding the SSAE 16 effective date worth reviewing is the following:
Call and speak with Christopher G. Nickell, CPA, to obtain a competitive, fixed-fee for SSAE 16 Type 1 and Type 2 reporting. He can be reached at 1-800-277-5415, ext. 706, or via email at email@example.com. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.