There are many SSAE 16 requirements that you need to be aware of regarding compliance with Statement on Standards for Attestation Engagements (SSAE) No. 16. The transition from SAS 70 to SSAE 16 is not merely academic as some would believe, rather, thoughtful consideration regarding a number of critical components is necessary for fully understanding this new attestation standard put forth by the AICPA. By gaining a greater understanding of the following SSAE 16 requirements, your organization can successfully transition from SAS 70 to the new Service Organization Reporting (SOC) framework.
1. Understand the evolution of the SSAE 16 standard.
Though not an actual SSAE 16 requirement, it would be highly beneficial to learn about the important dynamics, drivers, and influential issues that propelled the AICPA into developing SSAE 16, thus effectively replacing the longstanding SAS 70 auditing standard.
2. Learn about the new Service Organization Reporting (SOC) framework.
The American Institute of Certified Public Accountants (AICPA) has completely overhauled service organization reporting on controls, which, until recently, was largely limited to utilizing Statement on Auditing Standards No. 70, commonly known as SAS 70. The result of their arduous efforts are three (3) reporting options, SOC 1, SOC 2, and SOC 3. What's interesting to note about the new Service Organization Control (SOC) framework is that it fundamentally addresses the growing dynamics and changing complexities of service organizations in todays business environment. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
Specifically, the SOC 1 reporting framework, which results in the issuance of an SSAE 16 Type 1 or Type 2 report, is fundamentally geared towards service organizations that have a credible link or "nexus" to the internal control over financial reporting (ICFR) concept. Likewise, SOC 2 and SOC 3 reports are aimed primarily at the growing number of technology and cloud computing service organizations, such as Software as a Service (SaaS) providers, data centers, managed services entities, and other technology vendors.
3. Develop a Description of a System.
One of the most critical SSAE 16 requirements is the ability to develop an in-depth and comprehensive description of a "system", which can best be defined as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. What's more, the new SSAE 16 audit guide, published by the AICPA, provides a detailed framework for what is considered an acceptable format and content for a "system" description. Thus, if you've undertaken SAS 70 compliance in the past, your previous description of "controls" will have to be greatly enhanced or changed altogether for ensuring a credible and valid SSAE 16 description of a "system'.
4. Provide a Written Statement of Assertion.
Of all the SSAE 16 requirements that must be met, the written statement of assertion is unique in that it requires management of the service organization to "assert" to a number of clauses regarding the description of the "system", control objectives, suitable criteria, along with other supporting references. Moreover, the written statement of assertion was never a requirement for the previous SAS 70 auditing standard, thus service organization would be wise to contact a PCAOB CPA firm for assistance with this task.
5. Understand Subservice Organization Reporting Requirements.
The SSAE 16 requirements for subservice organizations is quite clear, requiring management of the service organization to (a) identify any relevant subservice organizations and (b) decide on the reporting option for them, which includes either the carve-out method or the inclusive method. As with the written statement of assertion, assistance by a PCAOB CPA firm specializing in SSAE 16 compliance would be helpful.
6. Learn about the Internal Audit Function.
If your organization has an internal audit function in place and conducts routine daily operational activities, testing, and other assurance initiatives, these functions and their results may very well form a critical component of an SSAE 16 engagement. Ultimately, this could result in efficiencies of scale for the engagement itself, thus it's beneficial to determine the internal audit's role, if any, for SSAE 16 compliance.
7. Additional Responsibilities and Requirements.
Other responsibilities and SSAE 16 requirements for a service organization include understanding, interpreting, and implementing the following measures:
- Monitoring of Controls" concept
- "The Identification of Risks"
- Suitable Criteria" concept
Want to learn more about the SOC framework and SSAE 16 compliance? If you have questions or would like to receive a competitive, fixed-fee proposal, please contact Christopher
Nickell, CPA, at 1-800-277-5415, ext. 706.