SSAE 16: The New Standard for Reporting on Controls at Service Organizations
With the rise of outsourcing and cloud computing, more and more companies are entrusting their data to third-party providers and external data centers. The crucial factor in this decision is the extent of control that such external data centers have. SSAE 16, ISAE 3402, and other country or region specific standards offers third-party reporting on the controls at service organizations, and help clients make an informed decision.
SSAE 16 (Statement on Standards for Attestation Engagements No. 16) is a U.S. reporting standard promulgated by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). It is an “attestation” standard for service organizations.
SSAE 16 requires service organizations to provide a description of its systems and requires a written assertion from the management. The description of the system requires:
- List of services provided and the class of transactions processed
- Processes used, including all supporting processes for transactions, including the flow of transactions
- Description of how the system captures and addresses significant events and conditions
- Policies and procedures adopted
- Personnel and other operational activities related to the core operations of the data center
- Control objectives related controls and user control considerations.
- Elements of internal control in vogue, based on the COSO framework of 1. Control Environment, 2. Control Activities, 3. Information and Communication, 4. Risk Assessment, and 5. Monitoring.
However, there is no strict or explicit requirement on “how” or to what extent the documentation takes place. The scope of the documentation depends on the extent to which organizations are willing to disclose.
The “written declaration” component of SSAE 16 requires the management to assert that the service organization's system is suitably designed to achieve control objectives at the relevant time period. The declaration also discusses the criteria used to make these assertions. This takes the form of additional statements and supporting references related to risk factors for controls and control objectives.
There are two types of SSAE 16 reports: SSAE 16 Type 1 report and SSAE 16 Type 2 report. Both have similar requirements, with the only difference being in the time period. SSAE 16 Type 1 assessment is for a specific point in time whereas SSAE 16 Type 2 report covers a period in time, generally six (6) months in length.
Most organizations opt for SSAE 16 Type 2 as it covers a period of time. SSAE 16 Type 1 only offers a snapshot in time, and has no testing on the operating effectiveness of controls. SSAE 16 Type 1 reporting is mostly seen as a starting point for service organizations and a prelude to SSAE 16 Type 2.