Just when you thought you had SAS 70 audits all figured out, along comes the new SSAE 16
assessment standard. If your company must undergo SAS 70 audits, then you will need to
understand the new standard that replaces the SAS 70 standard. The SSAE 16 standard
superseded the SAS 70 standard on June 15, 2011. Any auditor’s report produced after that date
must conform to the new standard.
What is SSAE 16, and to Whom Does it Apply?
SSAE 16 applies in the same fashion as SAS 70. If your company provides services to
publicly-traded companies registered with the Securities and Exchange Commission, you may
need to produce an “Independent Service Auditor’s Report on a Description of a Service
Organization’s System and the Suitability of the Design of Controls” in accordance with the
American Institute of Certified Public Accountants (AICPA) Statement on Standards for
Attestation Engagements 16 (SSAE 16). Whew! Those of us without the lung capacity of a
competitive swimmer simply refer to it as an SSAE 16 assessment.
Companies providing services such as payroll processing, benefits administration, and claims
processing, among other professional services, may be asked to provide their customers with a
copy of their SSAE 16 assessment report. Do you sell a Software-as-a-Service or “Cloud”
offering to publicly-traded companies? If you do, you are a service organization, and may be
subject to this requirement.
Tell me Again… Why Must I do these Assessments?
What happens when a publicly traded company exerts poor control over the accuracy of their
financial statements? Enron happens. Not only Enron, but other horrors you may recall from
splashy accounting scandal reporting. In response, the Sarbanes-Oxley (SOX) Act holds officers
of publicly-traded companies responsible for the fairness and completeness of their company’s
financial statements. The quality of these statements depends on a company’s internal controls.
These controls are processes designed to meet objectives for financial reporting reliability,
operational effectiveness and efficiency, and compliance with applicable laws and regulations.
The SOX act requires that signing officers evaluate their controls and report any deficiencies.
Your company may not be publicly-traded. However, if your company’s services could impact the
financial statements of one of your SOX-affected customers in any way, then your company’s
internal controls impact that customer’s controls. Remember, SOX requires companies to make
complete and accurate assertions about all controls that keep their financial reporting honest. So
how could your customer’s officers attest to the quality of your controls? Without SSAE 16
assessments, the choices would be daunting. The customer could: 1) audit your controls
sufficiently to make assertions about their quality, 2) take charge of your controls, or 3) state that
your unknown controls are a possible weakness in their own.
These options have obvious drawbacks. No publicly-traded company wants to go on record
admitting to inadequate controls. On the other hand, it would be hard to audit every service
provider one does business with, or to take charge of their controls. Similarly, service providers
with multiple SOX-affected customers could go out of business responding to an onslaught of
customer audits. The SSAE 16 assessment is designed to solve these problems. A service
provider can choose to undertake its own SSAE 16 assessment, and then simply provide a copy
of the SSAE 16 auditor’s report to any of their customer’s auditors who request it. Because it’s an
“auditor-to-auditor” report, your customer’s auditors can rely on the report to verify the quality of
your controls, without having to assess you themselves.
What has Changed with the SSAE 16 Standard?
SSAE 16 is an attest standard, not an audit standard. This is an accounting standard technicality.
It relates to the SSAE 16 assessment requirement that your management will attest in writing to
the fair presentation and design of controls. Under the previous SAS 70 standard, only the
auditors reported on controls; the company’s management was not required to make any
attestations. This attestation is the main difference between SAS 70 and SSAE 16. Under
SAS 70, your company’s management provided representations in the form of a signed
management representation letter given to the auditors prior to issuance of the SAS 70 report.
The letter was not included in the actual report, however.
Your “system,” in the language of the SSAE 16 standard, is the system that delivers your services
and the controls and activities that support service delivery. Management’s attestations, included
in the SSAE 16 report, are based on their description of their system. Management will attest:
· That management’s description of the system fairly presents the system that was
designed and implemented during the period covered by the assessment (for a Type II)
or at a point in time (for a Type I),
· That the controls related to the control objectives stated in that description were suitably
designed during that period (for a Type II) or at that point in time (for a Type I) to achieve
the control objectives, and
· For Type II assessments, that the controls operated effectively throughout that period to
achieve the control objectives.
The auditors will examine your company’s controls to determine their own opinion on these
matters. The fact that management must now make these attestations further highlights
management’s full responsibility for the controls in operation. This also better aligns SSAE 16
with SOX. Because SOX-affected companies’ management are held accountable for the veracity
of their financial report attestations, SSAE 16’s attestation requirement for service organizations
keeps the same kind of accountability in place for all internal controls in question.
Suitable Criteria for Evaluation
New in SSAE16 is a requirement that your management must use suitable criteria for evaluating
the overall system you use to provide services. Different standards could be used to provide
those criteria, depending on the type of services the company provides (like ITIL, COSO, COBIT,
or ISO, for example). The criteria used must be specified in the management attestation section
of the report. The minimum suitable criteria are specified in the SSAE 16 standard.
Evidence from Prior Engagements Disallowed
Under SAS 70, auditors could use evidence collected during prior audits to reduce the extent and
time of the testing. Under SSAE 16, auditors may not use evidence from prior engagements
about the satisfactory operation of controls, even if that evidence is supplemented with new
evidence provided for the current reporting period.
Disclosure of Reliance on Internal Auditors
If any tests of controls are performed by your company’s internal auditor, the SSAE 16
engagement auditor is required to clearly identify those tests in their description and describe
SAS 70 is now SSAE 16 Page 3 of 5 © ADV Group, LLC 2011
their procedures with respect to the internal auditor’s work. The SAS 70 standard did not require
Restrictions on Report Use
SAS 70 restricted use of the audit report to your management, your customers, and your
customer’s financial statement auditors. SSAE 16 further narrows the restriction regarding your
customers, depending on the type of report. For a Type I, use is restricted to entities that are
your customers as of the report date. For a Type II, use is restricted to entities that are your
customers during the report period.
Included versus Excluded Subservice Providers
Your company may use services provided to you by another company in the course of serving
your customers (for example, a data center). If the services subject to the assessment include
anything you obtain from another service provider (called a “subservice organization”), you have
the same choices as with SAS 70: the inclusive method, or the carve-out method. What differs in
SSAE 16 is that—for the inclusive method—your subservice provider’s management must
provide assertions similar to those required of your management. If you can’t obtain the
assertions from your subservice provider, you must use the carve-out method.
As with SAS 70, the inclusive method includes the subservice providers’ controls in your
assessment, just as if the controls were your own (requiring assessment participation from the
provider). A carve-out assessment excludes your subservice provider’s controls. With a
carve-out assessment, your customers would probably want to obtain your subservice provider’s
own SSAE 16 report. Of course, if the provider chose not to undergo an SSAE 16 assessment of
the right type, it could create a problem for your customers. Whether to include or carve-out your
subservice providers is a choice you make based on what you believe your customers will
require, and whether your provider can reliably provide an assessment report of their own.
What Remains the Same?
Scope of the Assessment
The SSAE 16 standard, as with the SAS 70 standard, does not dictate the set of controls that
must be covered by the assessment. It is for you to decide which controls are pertinent to the
services you provide. You should understand what your customers’ auditors would consider to
be pertinent to your services when determining the scope of the assessment.
One way to define scope is to review your services contracts. The contractual obligations around
your services would reasonably draw the boundaries that define your system and the controls
that support it.
SSAE 16 also relies on your description of your system, the controls, and the objectives the
controls are designed to meet, just as with SAS 70. The auditors assess whether the description
fairly describes the system and controls, and whether the controls are designed to meet the
Control objectives are stated in a similar fashion in SSAE 16 as in SAS 70. For example: “Control
activities provide reasonable assurance that information systems are protected from unauthorized
access, interference, damage, or destruction.” For each objective, you will also describe the
activities your company performs to meet the objective. The auditors will ask for evidence to
support your claim of undertaking these activities.
Type I and Type II
As with SAS 70, SSAE 16 reports come in one of two types: Type I or Type II. Both types rely on
management’s description of controls. The scope of each type of report is similar to that under
SAS 70. Type I assesses whether a company’s internal controls are fairly and completely
described and whether they have been adequately designed to meet their objectives, assessing
the controls in place at a certain point in time. Type II does the same, but takes it further—it
actually tests the controls in operation over a certain stated time period. As you might imagine,
the Type II is more thorough and requires more time and effort. The type of assessment report
you need (I or II) will be dictated by your customers and prospects; they know how your services
impact their operations, which in turn determines the type of report they will require of you.
Basic Format of the Audit Report
The auditor’s reports will follow the same basic format as for SAS 70, with the following
· The auditor’s Opinion Letter, which states whether they believe your controls are
adequate (also called the “Independent Service Auditor’s Report”)
· The descriptions of the services you provide, and your organization’s controls, covering:
o The control environment (management style, ethical philosophy, organizational
o Risk assessment and management
o Information and communication systems
o General controls
o Application controls
o Monitoring procedures
· User control considerations (a “user organization” means a customer, using the services
· Any other relevant information, provided by your management, that may apply to the
Like the SAS 70 audit, the SSAE 16 assessment requires that the auditors review the
management’s assessment of their controls and provide an opinion on its validity. They will
review the control objectives and control activities at your company to verify that they exist and
are designed as described. The auditors will obtain samples of artifacts (like documents or
reports) to support each control activity. For Type II assessments, the auditors will test the
effectiveness of the controls, to determine that they can reasonably meet the control objectives
they were designed to meet.
What is the ISAE 3402 Standard, and does it Apply to Me?
SSAE 16 also responds to the convergence of accounting standards between those in the U.S.
and the globally accepted principles (ISAE 3402) for reporting on controls at service
organizations. SSAE 16 and ISAE 3402 are very similar. Should your customers require
ISAE 3402, your auditor can advise whether you need a separate report for that standard.
Don’t Call Yourself “Certified”
Although this may seem a trivial point, the AICPA apparently disagrees with the commonly used
phrase “SAS 70 Certified” or “SSAE 16 Certified”. Technically, you do not receive a certification
under these standards. It is more accurate to say you are “SSAE 16 Compliant”.
Getting Ready for SSAE 16
To make the transition to SSAE 16, you should:
· Review your service contracts to ensure that your system description is complete and
· Determine whether you will use the inclusive method and, if so, how you will obtain the
necessary attestations from your subservice providers
· Review your existing controls and activities to ensure they are adequate and operating
· Ensure your ability to provide evidence for each control activity to your auditor
· Develop a plan for communicating the new standards (and restrictions on report use) to
your customer-facing teams
Because the new standard applies on June 15, 2011, some companies may be impacted as early
as July 1, 2011. Make sure you are ready!
Amanda Finch can be reached at firstname.lastname@example.org