Say hello to Statement on Standards for Attestation Engagements (SSAE) no. 16, and goodbye to the historical SAS 70 auditing standard. For reporting periods ending on or after June 15, 2011, SAS 70 now becomes a thing of the past, with SSAE 16 now standing front and center. And though there are similarities with SAS 70, such as offering Type 1 and Type 2 reporting, the AICPA SSAE 16 standard is now part of a bigger, better, and much improved framework for reporting on controls at service organizations. It's called the Service Organization Control (SOC) framework, and you'll be hearing quite a bit about it.
The AICPA SOC Framework
Type 1 vs. Type 2
SSAE 16 Audit reports can be either Type 1 or Type 2, depending on the service organization's needs and requirements. For an ounce of clarity, just remember that an SSAE 16 Type 1 audit report is merely a "snapshot" in time, while an SSAE 16 Type 2 report covers what's commonly known as a "test period", which is generally seen as six (6) to twelve (12) months in length. For purposes of regulatory compliance – and for sufficing for increased client demands – SSAE 16 Type 2 reporting is ultimately what service organizations choose when reporting on their controls. Type 1 reports are a good stepping stone up to the Type 2 reporting process.
According to the SSAE 16 publication put forth by the American Institute of Certified Public Accountants, a control objective is the "aim or purpose of specified controls at the service organization which address the very risks that these controls are intended to effectively mitigate". More simply stated, a control objective is an attribute that ensures a control or set of controls is operating effectively, and as designed. It's the basis of the entire SSAE 16 assessment process, and auditors and service organizations often work together in a collaborative manner in developing these control objectives. Technically speaking, however, the controls objectives and related controls are those of the service organization.
Subservice Organization Reporting
Subservice organizations have become a very important part of SSAE 16 Type 1 and Type 2 audit reports, and for good reason. Learn more about what subservice organizations are, such as the "inclusive" and "carve-out" reporting requirements.
Service Organization Requirements
Management has two very clear requirements for SSAE 16 audit reporting (for both Type 1 and Type 2). Provide a written statement of assertion, along with a description of its "system". Both the written assertion by management and the description of its "system" are new requirements under SOC 1 SSAE 16 when compared to the historical SAS 70 auditing standard.
SOC 1 vs. SOC 2 Debate
SOC 1 SSAE 16 audit reporting receives much of the attention regarding service organization reporting, but SOC 2 – intended for many technology and cloud computing entities – is catching on. If you're a data center, Software as a Service (SaaS) provider, managed services organization – or any other type of technology oriented company – then SOC 2 may be a viable reporting option. At any rate, the SOC 1 vs. SOC 2 debate will continue into the foreseeable future. Want to receive a competitive, fixed-fee quote for all your SSAE 16 reporting needs, along with SOC 2 and SOC 3? Then contact us today and call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at firstname.lastname@example.org.
NDB – Providers of Fixed-Fee SSAE 16 SOC 1, SOC 2, and SOC 3 Audits
As the nation’s leading provider of regulatory compliance services and solutions, NDB offers competitively priced, fixed-fee SOC 1, SOC 2, and SOC 3 audits and assessments. Whatever the industry, size, or location of your organization is, we have scalable, efficient, and high-quality services to meet your needs.