Monday, September 1, 2014

Welcome to SSAE-16.org Your Source for SSAE-16 resources and information. Search this website to learn more about the SSAE 16 audit standard which replaced the popular SAS70 standard.

Statement on Control (SOC) 1 Reports

September 1st, 2014 by admin

SOC 1 reports, which are prepared in accordance with the SSAE-16 standard, reporting on controls at a service organization, are specifically intended to meet the needs of the managements of organizations and the user organization auditors, as they evaluate the effect of the controls at the service organization for the organizations’ financial statement assertions.

SOC reports are important components of organizations evaluation of their internal controls over financial reporting for purposes of complying and following laws and regulations such as SOX and the organizations auditors as they plan and perform audits of the organizations financial statements.

Two types of reports exist:

Type 1: Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to obtain the related control objectives included in the description as of a pre-determined date.

Type 2:  Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to obtain the related control objectives included in the description throughout a pre-determined period.

The use of these reports are restricted to the management of the service organization, user entities of the service organization and user auditors.


Locate SSAE 16 / SOC Audit Provider



What is SSAE 16?

August 16th, 2014 by admin

The AICPA issued the Statement on Standards for Attestation Engagements 16, otherwise known as SSAE 16. This new standard replaces the sAS 70 standard. The new SSAE-16 standard is very similar to the International Standard on Assurance Engagements 3402, otherwise known as ISAE 3402.

One of the main reasons why the change from SAS 70 to SSAE-16 has taken effect is to better align the United States standard with international standards for better consistency.

The deadline to adapt to this new standard is on June 15, 2011. SSAE 16 reports will not only focus on financial reporting controls, but on other controls related to compliance and operations. These reports will typically require more planning and preparation by both service organizations and auditors.

Auditors will need to determine the sutiability of control design throughout the entire reporting period and not just the during the end of the year. This requires that all control remediation be completed before the start of the reporting period.

Service organizations are required to provide an assertion on the design and effectiveness of internal controls. In order for service organizations to do this, due diligence will need to be performed and a documented risk assessment.


Locate SSAE 16 / SOC Audit Provider



Difference Between SAS 70 and SSAE 16 Standard

August 12th, 2014 by admin

SAS 70 – Auditing Framework
SSAE 16 – Attestation Framework

Although there are some differences not everything has changed when adpoting the new SSAE-16 standard. SSAE 16 reports will still carry an opinion signed by a CPA even though it is found in the attestation standards. These reports are still able to be relied upon by auditors.

In addition, the concept of Control Objectives and Control Activities is still the same and changes to the wording will not be required to be changed. Service Organizations will now be able to provide other information like Business Continuity and Disaster Recovery.

Another large difference between SSAE 16 and SAS 70 is that the SSAE 16 standard requires a written assertion by management which has never been required for a SAS 70. This assessment can either include an actual description of the service organization’s system or be an actual description of the system itself.


Locate SSAE 16 / SOC Audit Provider



SSAE 16 Readiness Assessment

August 7th, 2014 by admin

As preparation to receive a SSAE 16 audit, if you have never received a SAS-70 report, it would be a good idea for your company to have a readiness assessment. It is not required to get a readiness assessment, but it is a good idea because it helps you identify gaps and weaknesses in your company’s current environment.

CPA firms can issue readiness assessments and they can help identify potential improvements in existing control procedures that currently meet requirements, but could be improved for the benefit of the service provider and/or its customers. It is also important to note that a SSAE 16 readiness assessment can be tailored to focus on specific areas of concern to management.

In many instances, the CPA firm that performs your readiness assessment will identify gaps and control deficiencies. The service provider will help create an action plan to address weaknesses identified. The service provider should be available to provide guidance on the control fixes being implemented to ensure they meet readiness requirements, as well as being pragmatic, sustainable, and cost effective.


Locate SSAE 16 / SOC Audit Provider