SSAE 16 Definition: "Statement on Standards for Attestation Engagements (SSAE) No. 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) that addresses engagements undertaken by a service auditor for reporting on controls at organizations (i.e., service organizations) that provide services to user entities, for which a service organization's controls are likely to be relevant to a user entities internal control over financial reporting (ICFR)."
SSAE 16 effectively replaces Statement on Auditing Standards No. 70 (SAS 70) for service auditor's reporting periods ending on or after June 15, 2011. Two (2) types of SSAE 16 reports are to be issued, a Type 1 and a Type 2. Additionally, SSAE 16 requires that the service organization provide a description of its "system" along with a written assertion by management. However, with a few notable exceptions, SSAE 18 is now superseding existing attestation standards, including SSAE 16, so a common questioned asked is "will SSAE 16 reports now be called SSAE 18 reports?" To be clear, SSAE 18 is simply the attestation standard used for issuing SOC reports, so we'll hopefully see a clarification on naming conventions that will simply be SOC 1, SOC 2, and SOC 3 reports, but it is also likely that a commonly used phrase may very well be SSAE 18 SOC 1 or SOC 1 SSAE 18.
To learn more about SSAE 16, please visit the SOC Report Resource Guide, provided by NDNB Accountants & Consultants, LLP.
Additionally, SSAE 16 and now SSAE 18, along with AT Section 101, form the underlying platform and professional standards for which the new AICPA SOC reporting framework is founded on, which consists of SOC 1, SOC 2, and SOC 3 reports.
SSAE 18 Definition: Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification - effectively establishes requirements for performing and reporting on examination, review, and agreed-upon procedures engagements that enable practitioners to report on subject matter other than historical financial statements. SSAE 18 was put forth to address concerns over the clarity, length, and complexity of various standards developed by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). In clarifying the attestation standards, the ASB used the following special drafting conventions to make the standards easier to read, understand, and apply. Furthermore, SSAE 18 is effective for practitioners’ reports dated on or after May 1, 2017.
For purposes of AICPA SOC reporting (SOC 1 and SOC 2 reports), SSAE 18 advocates the following:
Assertion Criteria Modification: While always a part of SSAE 16, SSAE 18 requires a disclosure of the relationship between the service organization and its relevant subservice organizations. Specifically, have the service being performed by the service organization been included or carved-out, and are such disclosure made apparent in reporting?
Monitoring of Controls at Subservice Organizations: A service organization that is used by another service organization that assists in or participates in providing services to the actual user entity, for which such activities would be included in the description of the primary service organization's system. Therefore, organizations that provide services to a service organization that are not considered subservice organizations are referred to simply as vendors, because these services do not impact the controls of the primary service organization. Both SOC 1 and SOC 2 reporting require a service organization to provide relevant information regarding the following activities being performed for effectively monitoring the controls as subservice organizations:
- Review of Output Reports
- Regularly Scheduled Communication and Correspondence
- Regularly Scheduled Site Visits
- Actual Testing of Controls
- Monitoring External Communications
- Reviewing of Regulatory Compliance Reports
Evidence Provided by the Service Organization: Historically speaking, auditing best practices have always included obtaining reliable, current, relevant, and accurate data from a service organization. While almost every previous auditing standard (i.e., SAS 70, SSAE 16) has discussed the concept of evidence, it’s now defined with more clarity. In short, SSAE No. 18 provides the following list of information for which a service auditor receives, and which may require additional assessment procedures moving forward:
- Population lists used for sample tests
- Exception reports
- Lists of data with specific characteristics
- Transaction reconciliations
- System-generated reports
- Other system-generated data (e.g. configurations, parameters, etc.)
- Documentation that provides evidence of the operating effectiveness of controls, such as user access listing.
As a result of SSAE 18 pronouncements regarding evidence, SOC auditors will have to dig deeper in asking for more detailed evidence, and service organizations in turn will need to start retaining more detailed records.
Turn to the Experts at NDNB for all Your Compliance Needs