An SSAE 16 (Statement on Standards for Attestation Engagements, no. 16) audit is a standard created by the Auditing Standards Board (ASB) and the American Institute of Certified Public Accountants (AICPA). This standard deals with engagements taken on by a service auditor for reporting on controls at organizations that supply services to users. These controls may be relevant to a user’s internal control over financial reporting (ICFR).
An SAS 70 (Statement on Auditing Standards, no. 70) is a third party assurance audit that was made specifically for service organizations. It is internationally acknowledged and was also developed by the AICPA. This audit performed by a service auditor looks at and shows that a service organization had an in-depth inspection of their control objectives and activities, which usually includes controls over Information Technology (IT) and related processes. This is also important in the reporting of effectiveness of ICFR. A service auditor’s report under SAS 70, given to a service organization proves it has been investigated by an independent accounting and auditing firm.
SSAE 16 audits basically replaced SAS 70 for the service auditor’s reporting schedule beginning in June, 2011. The SSAE 16 replaced the SAS 70 due to the growing need for a more global regulation. Since the SAS 70 had been adopted in 1992 it was out of date and not in line with the mounting changes in regulatory compliance. The newer SSAE 16 more closely reflects the international standard on reporting about controls at service organizations.
SSAE 16 also obligates a service organization to give a description of its system and a written affirmation by management.
Service organizations and providers must ensure the safety of users/clients when processing data belonging to clients. There are two kinds of SSAE 16 audit reports that are issued. This can be either: Type 1 or Type 2. Both of these standards were developed to investigate and provide proof of such IT security and monitoring of the user’s ICFR. This does not mean that either of the standards specifically looks at, monitors or reports on IT security. This is usually only as it relates to a customer’s ICFR. The Trust Services Principles and Criteria (TSPC) which does have IT security on its list is only incorporated into and required for SOC 2 (Service Organization Controls no.2) and SOC 3 reports.
There are three dedicated and individual SOC reports. SOC 1 reports are used for service organizations that are reporting on controls that are pertinent to ICFR. SOC 2 reports are used for service organizations that are reporting on controls for their IT-related organizations. SOC 3 reports are similar to SOC 2 reports except that SOC 3 will be accessible to the public as a general use report.
The new SSAE 16 audits, just like the SAS 70 audits are important to know about and understand due to the fact that service organizations that fell under the category of organizations to require reports for SAS 70 may also be required to obtain reports under SSAE 16. Required reporting organizations can include the billing segment of a healthcare facility and a financial firm.
With the new SSAE 16 standards in place, it is important that service organizations look into their requirement to be audited. It is also crucial to know what report type will be used for the organization and what is expected from the organization in return as part of the audit and report process. This means understanding all relevant parts of the SSAE 16.
At Netgain, we are pleased to let our current and prospective customers know that we, once again, passed the SSAE 16 credentialing audit which attests to our integrity and internal consistency for handling client information. You can be assured that your financial information is safe with us along with that of your client’s personal information.