SSAE 16

SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from SAS 70 to SSAE 16 will help you and your counterparts in the US compete on an international level; allowing companies around the world to give you their business with complete confidence.

A SOC 1 Report (Service Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance.

Differences between SAS 70 and the new standards, SSAE 16 and ISAE 3042:

1. Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:
• The fairness of the presentation of the description of the service organization’s system;
• The suitability of the design of the controls to achieve the related control objectives stated in the description; and
• The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)
2. During the process of understanding the service organization’s system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.