SSAE16 (Statement on Standards for Attestation Engagements 16)

SSAE 16, or Statement on Standards for Attestation Engagements No. 16, is a set of auditing standards developed by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). It was created to replace the previous standard known as SAS 70 (Statement on Auditing Standards No. 70). SSAE 16 is specifically designed for service organizations and addresses the issue of controls over financial reporting.

Here's a detailed explanation of SSAE 16:

Purpose:

SSAE 16 provides guidelines and requirements for auditors to evaluate the internal controls and security measures of service organizations that may impact the financial statements of their clients. It ensures that the service organization has implemented effective controls to protect client data, maintain data integrity, and provide reliable services.

Types of Engagements:

SSAE 16 defines two types of engagements: Type I and Type II.

a. Type I: In a Type I engagement, the auditor evaluates the design of controls at a specific point in time. The auditor provides an opinion on whether the controls are suitably designed to achieve their objectives.

b. Type II: In a Type II engagement, the auditor evaluates the design and operating effectiveness of controls over a specified period, usually six months or longer. The auditor provides an opinion on both the design and operating effectiveness of controls.

Service Organization Controls (SOC) Reports:

SSAE 16 requires service organizations to produce SOC reports, which provide detailed information about the controls they have implemented. These reports are intended to provide assurance to the service organization's clients and their auditors regarding the effectiveness of the controls in place.

a. SOC 1 Report: Also known as the Service Organization Control Report 1, it focuses on controls that are relevant to the client's financial reporting. It is used to evaluate the internal controls over financial reporting (ICFR) at a service organization.

b. SOC 2 Report: The Service Organization Control Report 2 focuses on controls related to security, availability, processing integrity, confidentiality, and privacy. It provides a comprehensive assessment of the organization's controls in these areas.

c. SOC 3 Report: The Service Organization Control Report 3 is a summarized version of the SOC 2 report. It provides a high-level overview of the organization's controls without disclosing detailed information.

Control Objectives:

SSAE 16 requires service organizations to establish control objectives that align with the needs of their clients. These control objectives define the goals and expectations of the control activities implemented by the service organization. The auditor evaluates the control objectives to assess whether they are suitably designed and operating effectively.

Subservice Organizations:

In many cases, service organizations rely on other service organizations, known as subservice organizations, to perform certain functions or processes. SSAE 16 requires the service organization to evaluate and disclose the controls at these subservice organizations that are relevant to their services. The auditor will also assess the impact of these subservice organizations on the overall control environment.

Risk Assessment:

SSAE 16 emphasizes the importance of risk assessment. Service organizations are required to identify and assess the risks that could affect the achievement of control objectives. The auditor evaluates the adequacy of the risk assessment process and determines if appropriate controls are in place to mitigate identified risks.

Management's Assertion and Auditor's Opinion:

The management of the service organization provides a written assertion stating that the control objectives have been suitably designed and, in the case of Type II engagements, have operated effectively over a specified period. The auditor then evaluates the assertion and provides an opinion on whether the control objectives are suitably designed and, in the case of Type II engagements, operating effectively.

SSAE 16 provides a standardized framework for evaluating the controls of service organizations. It enables service organizations to demonstrate their commitment to security, data integrity, and reliable services to their clients. Additionally, it provides confidence to clients and their auditors that the service organization's controls have been independently assessed by a qualified third party.