1. The SSAE 16 standard has effectively replaced SAS 70 for reporting periods ending on or after June 15, 2011. As such, practitioners, service organizations and all other interested parties should begin to take note of the following six (6) essential points regarding the new SSAE 16 standard and the new AICPA Service Organization Control (SOC) reporting platform, which consists of SOC 1, SOC 2, and SOC 3 reporting options. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
The SSAE 16 standard represents not only the emergence of a new “attest” standard, but also an entirely new approach to reporting on controls, as witnessed by the AICPA Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2, and SOC 3 reports. This new SOC framework, which effectively replaces the aging SAS 70 auditing standard, provides service organizations and practitioners alike with a broad-based reporting platform for reporting on controls. Specifically, SOC 1 reports, which utilize the SSAE 16 standard for reporting purposes, focuses on the internal control over financial reporting (ICFR) concept. SOC 2 reports, however, have been designed to meet the growing demand for reporting on controls on technology related entities, such as cloud computing vendors, Software as a Service (SaaS) entities, managed service providers, and software development companies, just to name a select few. Lastly, similar to SOC 2 is SOC 3, which utilizes the Trust Services Principles and can also can be effectively used for reporting on controls on the large and ever-growing list of technology oriented service organizations.
Where SAS 70 was a one-size fits all auditing standard used for almost twenty years for reporting on controls at service organizations, the new SOC framework provides entities with true, viable options that are much more reflective of today’s ever-changing business environment. Many would agree the changes were long overdue; hence the migration from SAS 70 to the new SOC framework has generally been well-received.
2. If you’ve undertaken SAS 70 compliance in the past, you’d be wise to consider all reporting options under the new AICPA SOC framework, not just SOC 1, but also SOC 2 and SOC 3 reports. Most service organizations may feel compelled to simply migrate towards SOC 1 SSAE 16 reporting, due in large part to the current obscurity of SOC 2 and SOC 3 reports along with other perceived marketability issues with these respective reports. This perceived notion may very well be short-lived once the new AICPA SOC framework gradually becomes much more visible, transparent and better understood by all interested parties. Remember, the SOC 1 SSAE 16 framework is to be utilized for reporting on controls that have a clear and credible link to the internal control over financial reporting (ICFR) concept. SOC 2 and SOC 3 thus should be the viable option for today's growing list of technology related service organizations, such as those described above.
3. The SSAE 16 standard requires service organizations to provide a description of their "system", which is essentially the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. Whereas the historical SAS 70 auditing standard required a description of one's "controls", a rather loose fitting term, the SSAE 16 standard's description of a "system" is generally regarded as more in-depth and comprehensive than the SAS 70 requirement. This alone will force service organization to spend considerable time and effort in developing a description of their "system".
4. Management of the service organization must now also provide the service auditor (i.e., the practitioner performing the SSAE 16 assessment) with a written statement of assertion. This "assertion", which was never a requirement for SAS 70, is essentially a statement whereby management is "asserting" to a number of essential clauses and statements regarding a number of areas related to the SSAE 16 assessment being performed.
5. The Internal Control Over Financial Reporting concept, which is widely known as ICFR, is a critical element of SOC 1 SSAE 16 reporting in that service organizations must create and establish a credible link with ICFR and their control environment that is being opined upon. In essence, they should ask themselves the following: What services and controls do we, as a service organization, have in place that affect the internal control over financial reporting (ICFR) for entities that utilize our services (i.e., user entities). If this question cannot be clearly answered, then service organizations should opt for a SOC 2 or SOC 3 reporting option, rather than that of the SOC 1 SSAE 16 standard.
6. The SSAE 16 standard also represents a migration towards globally accepted accounting principles, one that will be seen with even greater clarity as the push to adopt International Financial Reporting (IFR) standards continues to move forward. Additionally, SSAE 16 has an international equivalent known as the following: ISAE 3402 | The International Standard on Assurance Engagements, Assurance Reports on Controls at a Service Organization. ISAE 3402, put forth by the International Federation of Accountants (IFAC) in late 2010, closely mirrors the SSAE 16 standard, with the exception of a few technical differences. Hence, the SSAE 16 and ISAE 3402 standards ultimately represent a collaborative effort and understanding by both the American Institute of Certified Public Accountants (AICPA) and the International Federation of Accountants (IFAC) of the growing emergence of unified and globally accepted accounting principles.
Looking for a competitive, fixed fee for your SSAE 16 Type 1 or Type 2 report? Have questions about the new AICPA Service Organization Control (SOC) reporting platform? Contact us today at 1-800-277-5415, ext. 706 for an in-depth consultation.