Statement on Standards for Attestation Engagements (SSAE) 16 came about for a number of fundamental reasons, one of the most important being that of SSAE 16 to closely mirror and align itself with ISAE 3402, the globally accepted standard for reporting on controls at service organizations. The regulatory landscape has changed dramatically in recent years, forcing many service organizations to undergo an examination of their control environment. As such, SAS 70 the U.S. standard for reporting on controls at service organizations, was well positioned to accommodate the needs of businesses for compliance reporting purposes, ultimately allowing it to play a dominant role, both regionally and internationally. However, its limitations forced changes, resulting in the issuance of SSAE 16, which effectively supersedes SAS 70 on or after June, 15, 2011. Following the issuance of SSAE 16, SSAE 18 is now the standard used for issuing SOC 1 reports dated on or after May 1, 2017.
SOC 1 (SSAE 16/SSAE 18), SOC 2 and SOC 3 are Born
Along with the changes came SOC 2 assessments as part of the AICPA Service Organization Control (SOC) framework, which consists of SOC 1 (SSAE 16/SSAE 18), SOC 2, and SOC 3 reporting. Finally, there were options for service organizations when it caming to having assessments & audits performed on their internal control enviroments. The change was long overdue, and greatl needed. Many of challenges facing SAS 70 that ultimately resulted in the formation of the new SSAE 16 attest standard, which is now part of the AICPA Service Organization Control (SOC) reporting platform (SOC 1, SOC 2, and SOC 3) include the following:
Global Accounting Standards
The consensus amongst the international accounting community has been that of moving forward with globally accepted accounting principles and standards, which is evident with ISAE 3402, the internal standard for reporting on controls at service organizations. It was clear that a revised U.S. standard would be necessary for keeping pace with these changes, hence SSAE 16 evolved to supersede SAS 70. Though there are a number of very subtle differences between SSAE 16 and ISAE 3402, they are essentially very similar with regard to their intent and overall framework.
Service Organization Reporting Requirements
The explosive growth in outsourcing has coincidentally resulted in a much greater reliance on independent, third-party audits for purposes of reporting on controls at service organizations. SAS 70 played a major, if not dominant role, in providing the framework for which service auditors would perform Type 1 and Type 2 engagements on service organizations. However, the original intent of the SAS 70 auditing standard was a report primarily used from auditor to auditor and one not geared towards the increasing requirements being put forth by a multitude of bodies, such as regulatory agencies, governmental entities, and other notable users of the report.
SOC 1 (SSAE 16/SSAE 18) and ISAE 3402 - Two Prominent Standards
As a result, SOC 1 (SSAE 16/SSAE 18) now provides additional information for which intended users of this report can have greater confidence in the reporting of controls at service organizations. Specifically, SOC 1 (SSAE 16/SSAE 18) requires an in-depth description of the service organization’s "system" along with a written assertion by management. The written assertion was never required by SAS 70 and the description of the service organization’s system now requires management to place a greater emphasis on describing and documenting this system for the service auditor for purposes of SOC 1 (SSAE 16/SSAE 18) reporting. In short, SOC 1 (SSAE 16/SSAE 18) closely mirrors ISAE 3402 and in doing so, allows the U.S. standard to be well-positioned for effectively meeting the growing needs of reporting on controls at service organizations. Furthermore, SSAE 16 effectively removes any limitations that were starting to show with SAS 70.