The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) was issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). SSAE 16 is documented in the AICPA Professional Standards as the Reporting on Controls at a Service Organization (AT § 801).
The Statement on Auditing Standards No. 70 (SAS 70), Service Organizations (AU § 324), was often misused to report compliance and operational controls. SSAE 16 replaces guidance for service auditors reporting on a service organization's controls relevant to user entities' internal control over financial reporting (ICFR) in SAS 70 as an effort to correct the misuse.
Audits are classified as either a Type 1 or Type 2 audit.
A Type 1 audit reviews your systems to evaluate if the description of your controls fairly presents what was in place and the design of your controls is suitable to meet the objectives of your security controls as of a specified date.
A Type 2 audit reviews your systems to evaluate if the description of your controls fairly presents what was in place and the design as well as the operating effectiveness of your controls suitably met the objectives of your security controls throughout a specified time period (typically six months).
If your organization provides outsourced services that touch or have a bearing on another organization's data, you need to properly handle and protect that data. Customers choose to do business with organizations based upon whether or not they have undergone a thorough independent audit to demonstrate security controls.
At its core, an SSAE 16 audit is a means through which your organization can demonstrate the levels you go to protect the sensitive data of your customers. As prescribed by AT § 801:
Service organizations that typically have SSAE 16 audits performed include:
An SSAE 16 audit takes place as a Service Organization Control 1 (SOC 1) examination. The audit reviews your transaction processing and data security controls that are likely to be relevant to your customers.
We provide a collaborative SSAE 16 audit and have streamlined the audit process to create efficiencies in both effort and cost. Based on our methodology, we can work with you to perform much of the audit remotely, reducing the amount of time required onsite to only a day or two. This allows your staff to stay focused on their work responsibilities while our team efficiently conducts the audit in a cost-effective manner.
At the conclusion of the audit, your SOC 1 report and opinion letter document the results as a formal attestation that you are maintaining security controls over your systems and that they are appropriate, accurate and reliable.
If you are currently working with an existing CPA firm to provide your SSAE 16 audit and are looking for the experience of a dedicated security company, Sikich also offers independent:
All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.