SSAE 16

What is SSAE 16?

Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a standard developed by the American Institute of Certified Public Accountants (AICPA) that guides how service organizations should report on the controls they have to protect their clients’ data and systems. Formerly known as SAS 70 (Statement on Auditing Standards No. 70), SSAE 16 certification was introduced to align with international standards and reflect the changing landscape of technology and services. SSAE 16 has now been replaced by SSAE 18.

The Purpose of SSAE 16

The primary purpose of SSAE 16 is to establish guidelines for service organizations to assess and communicate the effectiveness of their internal controls relevant to their client’s financial reporting. These controls ensure the confidentiality, availability,  and integrity of client data. By obtaining an SSAE 16 audit, a service organization demonstrates its commitment to meeting industry best practices and assuring clients about the reliability of their services.

Types of SSAE 16 Reports

Service organizations can obtain two types of SSAE 16 reports: Type I and Type II.

• Type I Report: This report focuses on the service organization’s description of its controls and the suitability of its design as of a specific date. It provides a snapshot of the controls in place at a given point in time.
• Type II Report: More comprehensive than the Type I report, the Type II report includes an assessment of the operational effectiveness of the controls over a specified period, usually six to twelve months. This report is considered more valuable as it evaluates the design and implementation of the controls.

Benefits of SSAE Reports

For Service Organizations:

• Enhanced Credibility: An SSAE 16 report enhances a service organization’s credibility by demonstrating its commitment to security and compliance.
• Competitive Advantage: Possessing an SSAE 16 report gives service organizations a competitive edge, assuring clients of their commitment to safeguarding data and processes.
• Client Trust: Clients can trust service providers who have undergone an independent audit, as it offers transparency into the controls that protect their information.

For Client Organizations:

• Risk Mitigation: Client organizations can mitigate the risk associated with third-party services by relying on the information provided in SSAE 16 reports.
• Efficient Audits: By leveraging the SSAE 16 report, client organizations can streamline their audit processes and focus on areas not covered by the service organization’s controls.
• Compliance: SSAE 16 reports help client organizations meet regulatory requirements and demonstrate SSAE 16 compliance to regulators and auditors.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start Free Trial Now

Start Free Trial Now

Learn more about SSAE 16
Click Here

What is the Difference Between SSAE 16 and SSAE 18?

SSAE 16 and SSAE 18 are auditing standards developed by the American Institute of Certified Public Accountants (AICPA) on Service Organization Control (SOC) reports. These reports provide information about the controls implemented by service organizations to protect their clients’ data and systems. While SSAE 16 and SSAE 18 share similarities, there are essential differences between the two standards.

SSAE 16 Overview

SSAE 16 was introduced in 2010 as a replacement for SAS 70 (Statement on Auditing Standards No. 70). It focused on guiding service organizations to assess and report on the controls relevant to their client’s financial reporting.

As we outlined previously, two types of reports are included in SSAE 16. Type I reports assess the design of controls as of a specific date. In contrast, Type II reports evaluate the operational effectiveness of controls over a period, usually six to twelve months.

SSAE 16 was primarily designed for controls that impacted the financial reporting of client organizations. It did not address all the cybersecurity and operational risks a service organization might face.

SSAE 18 Overview

SSAE 18 replaced SSAE 16 and became effective on May 1, 2017. The AICPA made this change to align with international standards and address the evolving needs of the industry.

SSAE 18 expanded the scope beyond financial reporting controls to include non-financial reporting controls that could impact client data’s security, availability, integrity, and confidentiality. 

SSAE 18 introduced three new categories of controls: 

1. Controls at the entity level
2. Controls implemented by third-party service organizations
3. Controls over the use of a service organization’s services. These new categories address various aspects of service organization controls beyond financial reporting.

In addition to Type I and Type II reports, SSAE 18 introduced the Type III report. This report includes the assessment of controls over a period and also describes the organization’s system and the auditor’s tests of operating effectiveness.

SSAE 16 vs. SOC 1

SSAE 16 (Statement on Standards for Attestation Engagements No. 16) has been superseded by SSAE 18, which is now commonly referred to as “SOC 1.” SSAE 18 introduced several enhancements and changes to the attestation standards, including aligning more closely with international standards and updating the format of the report. SSAE 18 provides a framework for service auditors to examine and report on controls at a service organization that are relevant to the user entities’ internal control over financial reporting.

The transition from SSAE 16 to SSAE 18 (SOC 1) aimed to improve the clarity and effectiveness of reporting on controls, addressing the changing landscape of technology and service organizations.