SSAE 16 engagements undertaken by a service auditor are to be done so for the purposes of reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting. In simpler terms, SSAE 16 reports, much like the now historical SAS 70 auditing standard, are focused on internal controls over financial reporting. The SSAE 16 standard has been very clear from the onset in describing the scope of this type of engagement for purposes of reporting and preparing SSAE 16 Type 1 and Type 2 reports. Thus, practitioners should perform an alternative engagement under AT section 101, Attest Engagements, when reporting on controls other than those related to internal control over financial reporting.
SOC 1 SSAE 16, ISAE 3402 and SOC 2 Reports - A Natural Evolution
With that said, however, the SSAE 16 standard, put forth by the Auditing Standards Board (ASB) of the AICPA, does clearly state that controls “likely” to be relevant to user entities’ internal control over financial reporting are to be included in the scope of an SSAE Type 1 or Type 2 engagement for purposes of reporting on controls. The “likely” phrase seems to provide the flexibility for including controls as needed for SSAE 16 reports.
The Birth of ISAE 3402 - European SSAE 16 Equivalent
And if practitioners find any limitations with the SSAE 16 standard, they have the option of utilizing the ISAE 3402 standard, which states the following: “…determination of whether controls at a service organization related to operations and compliance are likely to be relevant to user entities’ internal control as it relates to financial reporting is a matter of professional judgment…” Source: Basis for Conclusions: ISAE 3402, Assurance Reports on Controls at a Service Organization, December 2009. Please contact us today or call Christopher G. Nickell, CPA, directly at 1-800-277-5415, ext. 706, or email him at email@example.com, to learn more about NDB’s competitive, fixed fees for SSAE 16 Type 1 and Type 2 reporting.