Looking for SSAE 16 guidelines and other helpful information for ensuring your SOC 1 SSAE 16 Type 1 or Type 2 assessment is a success? Then take note of these important points you need to know about regarding Statement on Standards for Attestation Engagements No. 16. Additionally, you can learn more about these 5 important points along with other helpful SSAE 16 guidance when you visit the official SSAE 16 Resource Guide, developed by NDB Accountants & Consultants.
1. Goodbye to SAS 70: After almost 20 years as being the global de facto auditing standard for reporting on controls at service organizations, the SAS 70 auditing standard has effectively been replaced by SSAE 16. In short, for reporting periods ending on or after June 15, 2011, the SAS 70 auditing standing is no longer valid, thus you'll need to migrate to the SSAE 16 assessment standard.
2. SSAE 16 Written Statement of Assertion: Management of the service organization must now provide a written statement of assertion as part of undertaking an SSAE 16 Type 1 or Type 2 assessment. This assessment was never a requirement for the historical SAS 70 auditing standard. A well-qualified CPA firm specializing in regulatory compliance should be able to provide you with a standard template for developing management's assertion.
3. Description of the "System": Of the many SSAE 16 guidelines that are a requirement for the new AICPA attest standard, the description of a "system" is profoundly important in that management of the service organization will need to ensure that a comprehensive, thorough, and accurate description of its "system" is in place. This alone may require many service organizations to rethink and rewrite many sections of their historical SAS 70 description of "controls" narrative. Guidance from your CPA firm conducting the actual SSAE 16 assessment is crucial for this area.
4. SSAE 16 and ICFR: Much has been published about the true intent of SSAE 16 and its relationship to internal controls over financial reporting, a concept commonly known as ICFR. In short, you should discuss with your CPA firm your options for service organization reporting and whether a SOC 2 or SOC 3 report is a more viable option than SOC 1. Currently, most, if not all service organizations, are simply migrating from SAS 70 to SSAE 16 with little regard given to the merits of the SSAE 16 and ICFR relationship. This may change over time as the perceived value of SOC 2 and SOC 3 reports eventually gain momentum and acceptance in the marketplace.
5. SOC Framework: Service Organization Control (SOC) reports are a series of reporting options consisting of SOC 1, SOC 2, and SOC 3 reports that have been developed by the American Institute of Certified Public Accountants (AICPA). One of their primary goals was to update, enhance, and provide true value regarding reporting on controls for today's complex and ever-changing role of service organizations. You'd be wise to spend some time in learning more about the SOC framework.
This is just a small, yet crucial list of SSAE 16 guidelines your organization should be aware of regarding Statement on Standards for Attestation Engagements No. 16.
If you'd like to learn more about NDB Accountants & Consultants, our services and our competitive, fixed-fee pricing, please contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance