Audit. Compliance. Assurance.


SOC 1 / SSAE 16 (formerly SAS 70) FAQ

1. What is SSAE 16?
With many organizationís outsourcing their business processes and IT systems today and the increased curiosity and implementation of cloud computing services, a due diligence process is needed to assure user organizations and their auditors of the integrity of the financial data that is being handled and/or processed by a third party service organization.

If you are an organization providing outsourcing services to a company, you may be called upon to have an SSAE 16 audit completed.

2. Did SSAE 16 replace SAS 70? If so, are there any differences to the report?
Yes. Effective June 15, 2011, SSAE 16 superseded SAS 70 for performing the service auditor's examination. The main differences between SSAE 16 and SAS 70 are the following:

  • SSAE 16 requires a description of the 'system'; whereas SAS 70 required a description of controls
  • SSAE 16 requires a written assertion statement by management to be included in the report. SAS 70 did not require this.
  • For subservice organizations that are included in the service organizationís SSAE 16 (inclusive method), the subservicer will be required to supply an assertion letter documenting their relationship to the service organizationís system.

3. What is a "service organization"?
It is the company (i.e., vendor) that provides services to the user organization. Here are some common service organizations:

  • Payroll and Billing services
  • Banking and Financial Institutions (Retail and Investment)
  • Claims handling
  • Credit processors
  • Clearing houses
  • Investment advisors
  • Market Research Firms
  • ASP's (Application Service Providers)
  • Data Center Co-location & Managed Hosting providers
  • Cloud Providers

4. Benefits to the Service Organization to undergo SSAE 16
Completion of a SSAE 16 audit gives the service organization an advantage in the marketplace, as it illustrates to your auditors, regulators and/or current / potential user organizations that internal controls of financial importance within your organization are working as designed.

5. Who uses a SSAE 16 audit report?
A SSAE 16 report is generally used by a service organization to demonstrate to another auditor and/or their user organizations that internal controls of financial significance are in place.

6. Are their different types of SSAE 16 reports?
Yes. There is a Type I and a Type II report.

  • A Type I report describes the design of the control objectives at a point in time. As an example, a CPA firm would examine a company's controls on July 1, 2011 and report on the processing of transactions and these controls for that very same date: July 1, 2011.
  • A Type II report is describes the design and operation of the control objectives over a period of time, which is usually 6 months. As an example, a CPA firm would examine the design and operating effectiveness of a company's control objectives and activities from July 1, 2011 through December 31, 2011 and report on the processing of transactions and these controls for that six month period.

7. Are there restrictions on distributing this report?
No. A service organization can freely distribute the entire report or choose or provide the opinion letter from the CPA firm along with managementís assertion. Traditionally, this information is used by management of the user organization (i.e. CEO, CFO, CIO, VP Finance), and the independent auditors of the user organizations.

8. Are SSAE 16 audits new?
Yes and No. Yes, in that SSAE 16 audits have been conducted since 2010, replacing the SAS 70 Audit Standard officially on June 15, 2011. No, in that the old standard, SAS 70, was performed from 1992 to 2011 for service organizations. The demand for these audits has been increased by the requirements of the Sarbanes-Oxley Act of 2002, government regulatory compliance, the increasing complexity of business processes, the management of IT systems and increasing popularity of Cloud Computing.

9. How long is a SSAE 16 report valid?
SSAE 16 Type I and Type II reports are valid for one full calendar year from the date of issue.

10. Will an organization suffer from "business interruption" during an SSAE 16 readiness assessment or audit?
Many organizations express concern over the time and resources needed to conduct an SSAE 16 readiness assessment or audit, particularly when the scope includes observing and ultimately testing a large number of controls throughout many areas of a company. TurnKey IT Solutions is sensitive to these concerns, and thus, strives to conduct SSAE 16 engagements with the utmost efficiency and effectiveness. We schedule the phases of the audit to accommodate your employees and your time.

11. Are there differences between SOC 1 / SSAE 16 and SOC 2?
Yes. The AICPA has provided clear guidance in this initiative.

  • Controls within a SOC 1 / SSAE 16 are defined by management, and the audit is risk-based. This report is useful to demonstrate to auditors and user organizations that internal controls over financial reporting (ICFR) are designed / operating effectively.
  • Controls within a SOC 2 report are also defined by management, but the audit is criteria based, using SysTrust / WebTrust principles. This report is useful to demonstrate to a broad range of users (outside of user organizations) that controls over security, availability, processing integrity, confidentiality and/or privacy are designed / operating effectively.

12. So, which report is right for our organization?
There are many factors that may influence which report (SOC 1 / SSAE 16 vs. SOC 2) and type (Type I or Type II) your organization should obtain. Contact us for a free consultation.

For additional information or questions, please contact us by filling out the form to the right or email us at

Related Links
Contact Us Today!

Questions or Comments:

Enter code EXACTLY as it appears in box below
Code Image - Please contact webmaster if you have problems seeing this image code Load New Code