1. What is SSAE 16?
With many organizationís outsourcing their business
processes and IT systems today and the increased
curiosity and implementation of cloud computing
services, a due diligence process is needed to
assure user organizations and their auditors of the
integrity of the financial data that is being
handled and/or processed by a third party service
If you are an organization providing outsourcing
services to a company, you may be called upon to
have an SSAE 16 audit completed.
2. Did SSAE 16 replace SAS 70? If so, are
there any differences to the report?
Yes. Effective June 15, 2011, SSAE 16 superseded SAS
70 for performing the service auditor's examination.
The main differences between SSAE 16 and SAS 70 are
- SSAE 16 requires a description of the
'system'; whereas SAS 70 required a description
- SSAE 16 requires a written assertion
statement by management to be included in the
report. SAS 70 did not require this.
- For subservice organizations that are
included in the service organizationís SSAE 16
(inclusive method), the subservicer will be
required to supply an assertion letter
documenting their relationship to the service
3. What is a "service organization"?
It is the company (i.e., vendor) that provides
services to the user organization. Here are some
common service organizations:
- Payroll and Billing services
- Banking and Financial Institutions (Retail and Investment)
- Claims handling
- Credit processors
- Clearing houses
- Investment advisors
- Market Research Firms
- ASP's (Application Service Providers)
- Data Center Co-location & Managed Hosting providers
- Cloud Providers
4. Benefits to the Service Organization to undergo
Completion of a SSAE 16 audit gives the service
organization an advantage in the marketplace, as it
illustrates to your auditors, regulators and/or
current / potential user organizations that internal
controls of financial importance within your
organization are working as designed.
5. Who uses a SSAE 16 audit report?
A SSAE 16 report is generally used by a service
organization to demonstrate to another auditor
and/or their user organizations that internal
controls of financial significance are in place.
6. Are their different types of SSAE 16 reports?
Yes. There is a Type I and a Type II report.
- A Type I report describes the design of the
control objectives at a point in time. As an
example, a CPA firm would examine a company's
controls on July 1, 2011 and report on the
processing of transactions and these controls for
that very same date: July 1, 2011.
- A Type II report is describes the design and
operation of the control objectives over a period of
time, which is usually 6 months. As an example, a
CPA firm would examine the design and operating
effectiveness of a company's control objectives and
activities from July 1, 2011 through December 31,
2011 and report on the processing of transactions
and these controls for that six month period.
7. Are there restrictions on distributing this
No. A service organization can freely distribute the
entire report or choose or provide the opinion
letter from the CPA firm along with managementís
assertion. Traditionally, this information is used
by management of the user organization (i.e. CEO,
CFO, CIO, VP Finance), and the independent auditors
of the user organizations.
8. Are SSAE 16 audits new?
Yes and No. Yes, in that SSAE 16 audits have been
conducted since 2010, replacing the SAS 70 Audit
Standard officially on June 15, 2011. No, in that
the old standard, SAS 70, was performed from 1992 to
2011 for service organizations. The demand for these
audits has been increased by the requirements of the
Sarbanes-Oxley Act of 2002, government regulatory
compliance, the increasing complexity of business
processes, the management of IT systems and
increasing popularity of Cloud Computing.
9. How long is a SSAE 16 report valid?
SSAE 16 Type I and Type II reports are valid for one
full calendar year from the date of issue.
10. Will an organization suffer from "business
interruption" during an SSAE 16 readiness assessment
Many organizations express concern over the time and
resources needed to conduct an SSAE 16 readiness
assessment or audit, particularly when the scope
includes observing and ultimately testing a large
number of controls throughout many areas of a
company. TurnKey IT Solutions is sensitive to these
concerns, and thus, strives to conduct SSAE 16
engagements with the utmost efficiency and
effectiveness. We schedule the phases of the audit
to accommodate your employees and your time.
11. Are there differences between SOC 1 / SSAE 16
and SOC 2?
Yes. The AICPA has provided clear guidance in this
- Controls within a SOC 1 / SSAE 16 are defined by
management, and the audit is risk-based. This report
is useful to demonstrate to auditors and user
organizations that internal controls over financial
reporting (ICFR) are designed / operating
- Controls within a SOC 2 report are also defined by
management, but the audit is criteria based, using SysTrust / WebTrust principles. This report is
useful to demonstrate to a broad range of users
(outside of user organizations) that controls over
security, availability, processing integrity,
confidentiality and/or privacy are designed /
12. So, which report is right for our organization?
There are many factors that may influence which
report (SOC 1 / SSAE 16 vs. SOC 2) and type (Type I
or Type II) your organization should obtain. Contact
us for a free consultation.
For additional information or questions, please contact us by filling out the
form to the right or email us at firstname.lastname@example.org.