Services

Cloud Services | Colocation Services | Managed Services | Hosting Services | Email Services | Business Internet Connectivity

What is SSAE 16?

What's SSAE 16? 

According to the SSAE 16 Resource Guide, the definition is:

"The Statement on Standards for Attestation Engagements (SSAE) No. 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) that addresses engagements undertaken by a service auditor for reporting on controls at organizations (i.e., service organizations) that provide services to user entities, for which a service organization's controls are likely to be relevant to a user entities internal control over financial reporting (ICFR)."

 

Differences Between SSAE 16 and SAS 70 

There are a few main differences of the two, including:

  • SSAE 16 is an attestation standard, while SAS 70 is an auditing standard. This falls in line with ISAE 3402 International assurance standards.
  • For reporting, SSAE 16 requires descriptions of an organization's system and a written assertion by management, while SAS 70 only requires a description of the organization's controls and no written assertion.
  • The main difference is that SSAE 16 is more comprehensive and covers more than previously with SAS 70.

 

Differences in Service Organization Control (SOC) 1, 2 and 3 Reports 

 SOC 1 

The SOC 1 standard, which superseded the SAS 70 reporting standard and follows SSAE 16, details information on the controls of a service organization. These controls maintain relevance to internal control over financial reporting. This was the previous standard with the superseded SAS 70.

SOC 2 

SOC 2 reports test and report on the design and effectiveness of an organization's controls. The focus isn't on financial, but instead on controls related to areas including:

  • Security
  • Privacy
  • Availability
  • Confidentiality
  • Processing Integrity

This report is based on the Trust Services Principles and performed in accordance with the AICPAs AT101.

SOC 3 

Also under the Trust Services Principles and AT101, SOC 3 is for general use and reports on the organization's ability to achieve the Trust Services Principles’ criteria. SOC 3 reports do not contain a detailed description of controls provided by the service organization but state the compliance status of the service organization against the selected Trust Services Principles.

 

Difference Between SSAE 16, SAS 70 and ISAE 3402 

The International Standard on Assurance Engagements (ISAE) is the international framework around which SSAE 16 was built. Although they are similar, they do have differences which SSAE 16 pursues, as ISAE 3402 doesn't, including:

  • Intentional acts from service organization personnel
  • Anomalies
  • Direct assistance
  • And more…

Concerning the SAS 70, there are two main differences between SSAE 16 and ISAE 3402:

  • SAS 70 doesn't require a written assertion from management
  • SAS 70 doesn't require a description of the organization's system