SSAE 16 Type 2 reports are being issued for many service organizations from a wide and varied list of industries these days. And much of this has to do with the passing of the torch from the SAS 70 auditing standard to the SSAE 16 attestation standard, along with more and more service organizations simply being required to undertake SSAE 16 Type 2 compliance. With that said, an introduction to SSAE 16 Type 2 reports will help all interested parties (i.e., service auditors, service organizations, etc.) gain a greater understanding of Statement on Standards for Attestation Engagements (SSAE) No. 16. So take note of the following points regarding SSAE 16 Type 2 reports. Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance
1. Changing landscape for service organization reporting on controls. SAS 70 was the dominant force for reporting on controls at service organizations for approximately two decades. Unfortunately, it become somewhat of a misused standard - a one-size fits all approach by many in the industry - but the shift towards globally adopted accounting principles is well underway. Read more.
2. SOC Reporting Framework. The American Institute of Certified Public Accountants (AICPA) put forth the Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2, and SOC 3 reporting options. SSAE 16 is the professional standard used for issuing reports under the SOC 1 framework. It's an alphabet soup of reporting options for sure, so you'll want to read up on this issue and learn all about the SOC framework.
3. Description of its "system" and written statement of assertion. SSAE 16 Type 2 reports require management of the service organization to provide a written statement of assertion, along with developing a description of its "system". The written statement of assertion essentially requires management to "assert" to a number of provisions and clauses, while the description of the "system" is seen as the following:
"the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities."
4. The Internal Audit function. There's much to learn about the internal audit function as it relates to SSAE 16 Type 2 reports. Specifically, you may be able to rely on certain internal audit evidence, provided the material presented (and the personnel involved in undertaking the actual internal audit functions) meets certain criteria. Learn more.
5. The concept of "monitoring". Not much is said in the world of SSAE 16 regarding the concept of "monitoring", but it's worth mentioning, thus learning more about it is highly recommended.
Other notable points of interest regarding SSAE 16 you might to learn more about include the following:
• SSAE 16 Readiness Assessments
• SOC 1 vs. SOC 2 reporting
• SOC 3 reporting
• SSAE 16 and the concept of "ICFR"
Is your organization seeking to become SSAE 16 Type 1 or Type 2 compliant? If so, contact NDNB today for a competitive, fixed fee for all SOC 1, SOC 2 and SOC 3 reporting options. Contact Christopher G. Nickell, at 1-800-277-5415, ext. 706 or Charles Denyer, at 1-800-277-5415, ext. 705 today.
