SSAE 16 Type 1 reports are often looked upon as a "stepping stone" to its big brother, SSAE 16 Type 2 reports. And while the SAS 70 auditing standard is no longer with us, SSAE 16 reporting does share many similarities with the now defunct, historical third-party reporting standard, most notably that there are fundamentally two (2) type of SSAE 16 reports; SSAE 16 Type 1 and SSAE 16 Type 2. But changes have been brought about from the passing of the torch from SAS 70 to SSAE 16, thus take note of the following 5 important things you need to know about SSAE 16 Type 1 reporting.
Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance
1. SSAE 16 Type 1 reports are part of the new AICPA SOC framework. That's "SOC" as in Service Organization Control reporting, for which the SSAE 16 professional standard falls under the SOC 1 reporting option. There are a total of three (3) SOC reporting options; SOC 1, SOC 2 (AT 101 professional standard) and SOC 3 (Trust Services Principles | TSP). And the intent of SSAE 16 Type 1 (and Type 2) reports was to break from the "one size fits all" applications used by SAS 70 and focus primarily on controls related to financial reporting, a concept well-known as "ICFR". This, however, has not matured, and SOC 1 reports are continuing to dominate the landscape for service organization reporting on controls, with little attention being given to SOC 2 reports.
2. SSAE 16 Type 1 reports are a "point in time". Remember, the value of SSAE 16 Type 1 reports is often seen as a report for which a service organization is just beginning down the road of regulatory compliance, with the hopes of SSAE 16 Type 2 compliance being the ultimate goal. Because SSAE 16 Type 1 reports are defined as a "point in time" (i.e., an "as of " date), there value is somewhat limited. Thus, conducting annual SSAE 16 Type 1 reports has little to no merit as interested parties are looking for the more comprehensive SSAE 16 Type 2 reports.
3. SSAE 16 Type 1 reports require a description of the "system". While the SAS 70 standard "only" required a description of "controls", an SSAE 16 Type 1 report requires a description of its "system". Thus, a description of a "system" - for purposes of SSAE 16 - is considered a more comprehensive, in-depth discussion of a service organization. Look upon the description of a "system" as the following:
"the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities." -ssae16.org.
Learn more about what the description of a "system" actually is.
4. SSAE 16 Type 1 reports require a written statement of assertion. Unlike the historical SAS 70 auditing standard, SSAE 16 Type 1 reports require that management provide a written statement of "assertion"; a number of specific clauses that management must effectively assert to.
5. SSAE 16 Type 1 reports are will continue to grow in prominence. Much like SAS 70 did over the past ten years - especially since the passage of the 2002 Sarbanes-Oxley Act - SSAE 16 reporting will more than likely dominate the landscape for reporting on controls at service organizations. Sure, there's an international equivalent (ISAE 3402), and other noteworthy AICPA reporting options (SOC 2 and SOC 3), but it just seems that SSAE 16 Type 1 and Type 2 reports are gaining a strong foothold on the industry as a whole.
Want to receive a competitive, fixed fee from a nationally recognized IR CPA firm specializing in SSAE 16 Type 1 and Type 2 reporting? Call Christopher G. Nickell, at 1-800-277-5415, ext. 706.
