Statements on Standards for Attestation Engagements 16 (SSAE 16)

What is SSAE 16?

In January 2010, the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, that is substantially similar to the international standard and supersedes Statement on Auditing Standards No. 70, Service Organizations (SAS 70).

SSAE 16 has replaced the famous – SAS70 standard, that was in use by the Service Organizations for Reporting on Controls. The changes made in the new standard will help Service Organizations across the globe, and mainly to US based Organizations, in competing with other Organizations and offer best Services to their customers.

New Standard SSAE 16 has emerged with these goals:

  • The new standard SSAE 16 to be in sync with other international accounting standards
  • How audits should be conducted for internal controls at Service Organizations
  • And, how Service Organizations can use these audit reports for their Customers, for compliance, marketing or other purposes.

There are two types of SSAE 16 Reports:

  • SSAE 16 Type I Reports
  • SSAE 16 Type II Reports

SSAE 16 Services

SSAE 16 Readiness Assessments

SSAE 16 Readiness Assessments are conducted to check the level of implementation of the SSAE 16 in an Service Organization. GAP Analysis Study is done during the readiness assessment to find out all gaps in the implementation of the standard SSAE 16. A detailed Gap Analysis report is provided to the organization.

SSAE 16 Type I Attestation

A Type I service auditor’s report includes the service auditor’s opinion on the fairness of the presentation of the service organization’s description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives.

Type I Attestation is performed as-on a particular date.

SSAE 16 Type II Attestation

SSAE 16 Type II builds on the Type I report to also include an assessment of the effectiveness of the controls over a period of time, which is recommended to be no less than six months. Such a report can be used to provide evidence of the effectiveness of the system in meeting stated objectives during the specified period.

Type II Attestation is performed for a particular period.

What is the significance of SSAE 16 compliance?

  1. Provide assurance to your clients about the safeguard of their funds and information.
  2. Ensure that client transactions are complete, accurate, and are completed in a timely manner.
  3. It reduces risks by Risk Management by the Service Organization.
  4. It reduces Service Organization’s audit and compliance costs. It literally pushes the cost down their supply chain.

Benefits of SSAE 16 Compliance

  • The SSAE 16 audit report allows the service organization to provide its customers with independent third-party verification about the state of the internal controls governing the integrity, reliability, effectiveness, and security of the processing services provided to user organizations.
  • The SSAE 16 Attestation Report can be used by user organization’s financial statement auditors as a substitute for those parties performing their own first-hand audit procedures.
  • Undergoing the SSAE 16 Attestation distinguishes the service organization from its competitors.
  • The SSAE 16 Attestation can provide more benefits in comparison to an internal audit function.
  • A SSAE 16 audit can improve or sustain business relations between service providers and user organizations. It may be also viable to pass the costs of fees paid for the SSAE 16 Attestation to the user organization.
  • Upgradation from old standard to new SSAE 16 Standard. Use of SSAE 16 Audit Reports.
  • More confidence in the Services by the customers.
  • Allows the service organization to meet contractual obligations.
  • Provide additional comfort on risk, systems and controls to clients and business partners.
  • Provide assurance on the Internal Controls and meeting objectives in case of adverse situations.

SSAE 16 – For Whom

A SSAE 16 review is applicable when elements of a company’s processes are performed by a service provider and the company:

  • Needs assurance over the system of internal controls at the provider because the services/transactions affect their financial statements.
  • Needs assurance that the service provider is fulfilling contractual obligations.
  • Wants to gain a better understanding of their role in controlling the process.

There are numerous types of services that may be performed by an outsourced service provider:

  • Payroll
  • Investment Management
  • Custody and Trust
  • IT Processing
  • Human Resources
  • Benefit Management
  • Web Hosting
  • Credit Card Processing
  • 401k Management
  • Telecommunications
  • Finance
  • Accounts Payable
  • Accounts Receivable
  • Commodity Trading Support

More on SSAE 16

For more details on SSAE 16 please visit following links: