SSAE 16, also known as the Statement on Standards for Attestation Engagements No. 16, is a set of auditing standards and guidelines that were introduced in April 2010 by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). These standards were created with the purpose of redefining and updating how service companies report on compliance controls. SSAE 16 replaced the previous auditing standard, Statement on Auditing Standards (SAS) No. 70, and served as the reporting standard for all service auditors’ reports.
The main objective of SSAE 16 is to assist auditors in assessing controls, including security controls, in various organizations such as data centers and internet service providers. By implementing the guidelines provided by SSAE 16, auditors are able to create two specific audit reports. The first report provides a snapshot of an organization’s controls on a specific day, while the second report incorporates historical data to demonstrate how the controls have evolved over time.
Compliance standards like SSAE 16 play a crucial role in helping organizations and auditors demonstrate information security compliance with regulations such as the Sarbanes-Oxley Act. Other compliance standards include PCI DSS for financial information security, HIPAA for health data security, and ISO 27001 for cybersecurity controls.
SSAE 16 was primarily designed for service organizations, as their clients often required this certification. The certification is obtained after a compliance audit of the service organization’s internal controls, particularly those related to a client’s internal financial reporting controls. The audit verifies the design and operating effectiveness of these controls and processes.
The SSAE 16 report consists of a framework that examines the system and organization controls of a service provider. The report includes three System and Organization Control (SOC) reports. SOC 1 provides insight into a service provider’s internal controls over financial statements and reporting. SOC 2 demonstrates adherence to standards in areas such as security, processing integrity, privacy controls, confidentiality, and availability. SOC 3 outlines the same topics as SOC 2 but is publicly available to anyone.
The decision to pursue SSAE 16 certification varies from enterprise to enterprise and depends on the organization’s goals. For service providers that handle the internal resources of their own employees, certification may not be necessary. However, certification can be beneficial for enterprises that serve a wide range of customers, especially those with strict security or confidentiality requirements.
It is important to note that SSAE 16 has been superseded by SSAE 18, which became the new accounting standard on May 1, 2017. SSAE 18 addresses concerns about the clarity, length, and complexity of existing AICPA standards and combines multiple prior SSAEs. It establishes requirements and provides application guidance for auditors in various types of attestation reports.
One of the main differences between SSAE 16 and its predecessor, SAS 70, is that SSAE 16 requires the management of the service company to provide a written assertion to the auditor. This assertion states that the organization’s system description accurately represents its operational activities and control objectives. SSAE 16 also places a greater emphasis on verifying controls and processes, as well as assessing their design and operating effectiveness.
In conclusion, SSAE 16 is a set of auditing standards that helps auditors assess compliance controls in service organizations. It was designed to replace SAS 70 and has since been superseded by SSAE 18. Compliance with these standards allows organizations and auditors to demonstrate information security compliance with various regulations.