SSAE16

SSAE 16 engagements undertaken by a service auditor are to be done so for the purposes of reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting. In simpler terms, SSAE 16 reports, much like the now historical SAS 70 auditing standard, are focused on internal controls over financial reporting. The SSAE 16 standard has been very clear from the onset in describing the scope of this type of engagement for purposes of reporting and preparing SSAE 16 Type 1 and Type 2 reports. Thus, practitioners should perform an alternative engagement under AT section 101, Attest Engagements, when reporting on controls other than those related to internal control over financial reporting.

SOC 1 SSAE 16, ISAE 3402 and SOC 2 Reports - A Natural Evolution

In recent years, the now defunct SAS 70 auditing standard became heavily used in ways it was never really intended for. As a report that was originally designed for auditor to auditor use (service auditor providing it to the user auditor), it quickly became an auditing framework used to report on controls outside the scope of financial reporting, with many businesses obtaining SAS 70 Type I and Type II compliance for marketing and business development reasons. With SSAE 16 superseding SAS 70, its seems plausible that service organizations and other interested parties will continue to obtain third-party validation for reporting on controls, with SSAE 16 or possibly ISAE 3402 being that mechanism. A report issued under the framework of AT section 101, Attest Engagements, may be the logical choice for many entities, thus, SOC 2 Type 1 and SOC 2 Type 2 reports are growing in terms of use, acceptance, and recognition. 

With that said, however, the SSAE 16 standard, put forth by the Auditing Standards Board (ASB) of the AICPA, does clearly state that controls “likely” to be relevant to user entities’ internal control over financial reporting are to be included in the scope of an SSAE Type 1 or Type 2 engagement for purposes of reporting on controls. The “likely” phrase seems to provide the flexibility for including controls as needed for SSAE 16 reports. 

The Birth of ISAE 3402 - European SSAE 16 Equivalent

And if practitioners find any limitations with the SSAE 16 standard, they have the option of utilizing the ISAE 3402 standard, which states the following: “…determination of whether controls at a service organization related to operations and compliance are likely to be relevant to user entities’ internal control as it relates to financial reporting is a matter of professional judgment…” Source: Basis for Conclusions: ISAE 3402, Assurance Reports on Controls at a Service Organization, December 2009.  Please contact us today or call Christopher G. Nickell, CPA, directly at 1-800-277-5415, ext. 706, or email him at cnickell@ndbcpa.com, to learn more about NDB’s competitive, fixed fees for SSAE 16 Type 1 and Type 2 reporting.

Get A Free Quote Today!

Fill out my online form.
Copyright © 2017 SOC Reports. All Rights Reserved.
Joomla! is Free Software released under the GNU General Public License.