Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

The SSAE 16 AICPA standard, put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) is a game-changer, to say the least.  First and foremost, it effectively replaces the long-standing Statement on Auditing Standards No. 70 (SAS 70), which was issued in April, 1992.  Yet SSAE 16 was then replaced by SSAE 18 for reports dated on or after May 1, 2018.

Say Hello to SOC 1 SSAE 18 Reports

Statement on Standards for Attestation Engagements (SSAE) No. 16 and No. 18 both represent a convergence, adoption and migration to that of more globally accepted accounting standards.  As such, SSAE 16, SSAE 18 and its international equivalent, ISAE 3402, share a very common framework, both requiring service organizations to provide a description of their “system” along with a written assertion by management. These two requirements are noticeably different from that of the U.S. based SAS 70 standard, which only called for a description of “controls” and did not require a written assertion by management.

Regarding SSAE 16, the AICPA also issued a four (4) page pdf. document titled “FAQs -New Service Organization Standards and Implementation Guidance” in which it answered many of the pressing and “hot button” issues facing SSAE 16. Some of them are technical, but others speak to the overall intent and use of SSAE 16.  For example,

the AICPA is very clear in stating that compliance with SSAE 16 does not result in becoming SSAE 16 “certified” or gaining a certificate or designation.  This misconception came about as the SAS 70 auditing standard became increasingly popular after the passage of the 2002 Sarbanes-Oxley Act, ultimately resulting in incorrect phrases for the standard itself. 


SSAE 16 and SSAE 18 and the ICFR Concept

Additionally, the AICPA also states that SSAE 16 is limited to that of reporting on controls related to financial reporting and delves into a more in-depth discussion on using AT Section 101 for reporting on controls outside of that of financial reporting. It will be interesting to see how the SSAE 16 AICPA mandates are actually followed by businesses undertaking SSAE 16 compliance. Now, with SSAE 18, not only does it provide reporting instructions for SOC 1 reports, it also delves into the SOC 2 framework. Let's just say that SSAE 18 is anothe game-changer in the world of regulatory compliance reporting. 

Contact NDNB Accountants & Consultants today for obtaining a fixed fee on your SOC 1 SSAE 18 engagement.

Since 2006, NDNB has been setting the standard for security & compliance regulations