An SSAE 16 report is often issued after the completion of all assessment activities undertaken in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16. And an SSAE 16 report can be either a Type 1 or a Type 2, depending on the needs of the service organization itself. With that said, it's important to understand the contents of an SSAE 16 report and what each section means. This ultimately will provide you with a much greater understanding about SSAE 16 Type 1 and Type 2 assessments, and the accompanying reports that are issued for them.
People often ask us "what is an SSAE 16 report?" And to be fair, it's a valid question indeed. Simply stated, look upon an SSAE 16 report as the actual end deliverable of the assessment process itself, for which the service organization receives a lengthy report that details the reporting on controls (SSAE 16 Type 1) and tests of operating effectiveness (SSAE 16 Type 2) for those stated controls. So with that said, let's take a look at what's actually included within an SSAE 16 report.
1. Administrative Items. You'll obviously see - or should - a cover sheet and table of contents and any other general administrative documents within the final SSAE 16 report.
2. CPA Opinion Letter. Known also as the "service auditor's report", or many other similar names, the opinion letter expresses and opinion on the actual assessment and also provides information as to the relevant time period for the assessment (and test periods, if it is a SSAE 16 Type 2 report), along with numerous professional accounting and auditing disclosures and statements. They are quite standard from one report to another, regardless of the CPA firm issuing the SSAE 16 report.
3. Written Statement of Assertion by Management. This is a new requirement for the SSAE 16 report, and it essentially requires management of the service organization to "assert" to a number of important provisions and clauses. Your CPA firm conducting the SSAE 16 asessment should provide you with information regarding this matter.
4. Description of the "system". For purposes of an SSAE 16 report, look upon the description of the "system" as the following:
"the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities".
5. Results of Testing. If an SSAE 16 Type 2 assessment is being performed, the results of testing will be included within an actual SSAE 16 report. Remember that SSAE 16 Type 1 assessments do not include results of testing for control objectives.
6. Additional Information provided by the Service Organization. This section gained attention with the former SAS 70 auditing standard, as it allowed service organizations to discuss any additional information they felt was relevant to the audit process. And much like SAS 70, this section is used within SSAE 16 reports to do the same, with many service organizations discussing their business continuity and disaster recovery plans (BCDRP), or anything else they feel is relevant or significant.
Is your organization seeking to become SSAE 16 Type 1 or Type 2 compliant? If so, contact NDB today for a competitive, fixed fee for all SOC 1, SOC 2 and SOC 3 reporting options. Contact Christopher G. Nickell, at 1-800-277-5415, ext. 706 today or email him directly at firstname.lastname@example.org.