• What is SSAE 16?
  • Understanding the Role of the AICPA
  • Six Thoughts on SSAE 16
  • Standardize Your Systems with SSAE 16

What is SSAE 16?

Often organizations will be audited to show their voluntary compliance with the Statement on Standards for Attestation Engagements 16 (SSAE 16). SSAE 16 is a set of guidelines established by the American Institute of Certified Public Accountants (AICPA) to describe the manner in which a service provider properly reports on financial controls.

Understanding the Role of the AICPA

Rather than considering the standard in isolation, it helps to consider the professional community that created, maintains, and endorses it.

The American Institute of Certified Public Accounts (AICPA) is the most notable professional association for CPAs in the US, with locations in Durham, North Carolina; Ewing, New Jersey; New York City; and Washington, DC.

Essentially, the organization was created to systematize the profession of accounting so that it would be taken more seriously, so that businesses would be less likely to experience incompetent bookkeeping, and so that the general public would be better protected from shady practices. The nonprofit’s website explains, “The AICPA was founded in 1887 and upon its creation, established accountancy as a profession distinguished by rigorous educational requirements, high professional standards, a strict code of professional ethics, licensing status and a commitment to serving the public interest.”

The AICPA is intended as a source of literature, knowledge, and guidance for CPAs so that they can offer higher quality solutions through the strictest ethical standards. To achieve these ends, the AICPA collaborates with groups from each of the 50 states, paying special attention to locales where CPA expertise is most critical to the greater good.

Specific tasks conducted by the AICPA include:

  • creating standards that CPAs can use when auditing organizations
  • distributing continuing education content for skill refinement
  • developing and scoring the Uniform CPA Exam
  • gauging adherence to the accepted auditing and ethical approaches, penalizing any noncompliant parties.

Six Thoughts on SSAE 16

NDB Accountants & Consultants recently shared six thoughts on SSAE 16:

Thought #1

When SSAE 16 replaced Statement on Auditing Standards 70 (SAS 70) on June 15, 2011, it wasn’t just a simple updating of language but the introduction of an innovative control-reporting strategy. Fundamental to the strategy is its division of assessments into three Service Organization Control (SOC) categories:

  1. SOC 1 – A general assessment designed to follow the stipulations of internal control over financial reporting (ICFR)
  2. SOC 2 – An assessment specifically created for technology firms, such as cloud service providers and software developers
  3. SOC 3 – A review framed around the Trust Services principles – security, availability, processing integrity, confidentiality, and privacy – that is also geared toward technology providers.

Thought #2

Although the three different types of reports are an effort to better meet the diverse needs of today’s business environment, NDB notes that many IT companies gravitate toward SOC 1 simply because that version is better recognized. However, now that it’s been four years since the adoption of the new framework, businesses have a better familiarity with the SOC 2 and SOC 3 reports.

Thought #3

When you get audited for SSAE 16, you have to summarize your organization’s system, which according to NDB includes “the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization’s core activities that are relevant to user entities.” In the days of SAS 70, organizations had to summarize their controls but not their user interaction activities in general. Be prepared to get more in-depth.

Thought #4

The leadership of your company must give the accountant who assesses you for SSAE 16 confirmation, in writing, that they are meeting certain guidelines. This is typically referred to as a written assertion or written statement of assertion. It also was not required for SAS 70.

Thought #5

You should be aware that if you choose SOC 1, you must be able to clearly establish your system’s relationship to internal control over financial reporting (ICFR). Do you have controls that influence your clients’ ICFR? If you are unsure, go with one of the other two reports.

Thought #6

The shift by AICPA from SAS 70 to SSAE 16 also marked a stronger adoption of worldwide accounting parameters, which will become more evident as International Financial Reporting (IFR) standards become more prevalent. There is also an official global version of SSAE 16: International Standard on Assurance Engagements 3402 (ISAE 3402), which was developed by the International Federation of Accountants (IFAC). NDB explains that these two standards represent a collaborative effort and understanding by both the [AICPA] and the [IFAC] of the growing emergence of unified and globally accepted accounting principles.”

Standardize Your Systems with SSAE 16

Are you considering SSAE 16 auditing? We have you covered: Our infrastructure is certified to meet the rules of SSAE 16 (SOC 1) Type II. Review our compliance hosting credentials today.

By Moazzam Adnan