SSAE 16

Statement on Standards for Attestation Engagement No. 16, "Reporting on Controls at a Service Organization" ("SSAE 16") is an enhancement to the former standard for Reporting on Controls at a Service Organization, the widely used Statement on Auditing Standards No. No. 70 ("SAS 70"). SSAE16 is now effective and if you have not made the necessary move, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in an SOC 1 Report.

For service organizations that currently have a SAS 70 service auditor's examination ("SAS 70 audit") performed, some changes will be required to effectively reporting under the new SSAE 16 standard.

For instance:

Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:

The fairness of the presentation of the description of the service organization's system;

The suitability of the design of the controls to achieve the related control objectives stated in the description; and

The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)

During the process of understanding the service organization's system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization's system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.

Additional information on SSAE 16 and Service Organization Control reports can be viewed at the AICPA's new web page (http://www.aicpa.org/soc).

As in the old SAS 70 reports, the new SSAE 16 will have a similar construction in a Type 1 or Type 2 format. The following is a basic outline of that format.

In a Type I report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented as of a specific date; and (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives - also as of a specified date. This report is "as of a certain date" and does not actually attest to the fact that the controls and or systems were indeed working well. For that, the type 2 report is needed.

In a Type II report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented throughout the specified period; (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed throughout the specified period to achieve those control objectives; and (3) whether the controls related to the control objectives stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives.

are issued by senior technical bodies of the AICPA designated to issue pronouncements on attestation matters. Rules 201 and 202 of the AICPA Code of Professional Conduct require an AICPA member who performs an attest engagement to comply with such pronouncements. The practitioner should have sufficient knowledge of the SSAEs to identify those that are applicable to his or her attest engagement and should be prepared to justify departures from the SSAEs.