When companies outsource IT and other business processes, they are looking for assurances that the service providers' corporate controls pass muster and that data is not exposed to undue risk. Companies can request audits of service providers' systems, but this can be an expensive and time-consuming endeavor.
To help ease customer concerns, a service provider can hire a third-party auditor to conduct an examination based on a set of standards known as the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). Although not a compliance certification in the traditional sense, SSAE 16 reports have become a commonplace guide for service providers' internal compliance controls and the reporting standard for all service auditors' reports since going into effect in June 2011.
This FAQ is part of SearchCompliance.com's IT Compliance FAQ series.
Table of contents:
What is SSAE 16?
SSAE 16 is a set of requirements and guidelines for auditors who report on service providers' systems as they pertain to customers' internal control over financial reporting (ICFR). The guidance was issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) as part of an effort to unify U.S. control standards with those of the International Auditing and Assurance Standards Board.
SSAE 16 reports (which are also called service organization control, or SOC, reports) can be used by CPAs who audit the service provider customers' financial statements. The SOC report details whether the provider's description of its controls is fair, whether the controls' design is suitable and, in some cases, whether the controls operate effectively.
The Statement on Auditing Standards No. 70 (SAS 70), an earlier set of standards, was replaced by SSAE 16 when SSAE 16 went into effect on June 15, 2011.
What type of companies should undergo an SSAE 16 examination?
Service providers that potentially influence customers' financial statements are often asked to provide assurance of their internal controls. A few common examples of these providers are those that conduct data center or network monitoring services, Software as a Service, payroll processing and medical claims processing. To generate trust in their controls and make it easier for their customers to meet their own financial reporting obligations, providers can complete an SSAE 16 examination.
The AICPA provides this example:
If Company A outsources its client billing, the person who audits its financial statements has to understand the design of the service provider's billing process controls because the billing data is included in Company A's financial statements. By completing an SSAE 16 examination, the billing service provider makes it easier for its customer, Company A, to meet its own reporting requirements.
What are the advantages of undergoing an SSAE 16 examination?
Completing an SSAE 16 report can help a service provider generate trust in its systems and assist customers with their own financial reporting. Without this report, providers are apt to get requests from current and potential customers to conduct reviews of the controls themselves.
IT and communications provider EarthLink Inc. distributed a press release on Dec. 17, 2012, heralding the completion of an SSAE 16 examination. The company said it could now provide its customers "with assurance of corporate controls and validation of EarthLink's commitment to the most stringent standards of operational excellence."
What are the main differences between SSAE 16 and SAS 70?
There are several major changes stemming from the changeover to SSAE 16:
- The outsourcer's management must now provide auditors with a written assertion about the fairness of the description of its system, the suitability of the design controls and, in some cases, the operating effectiveness of the controls -- also called a "Type II report engagement."
- If the outsourcer is undergoing a Type II engagement, the auditor's report covers the period during which the operating effectiveness of the controls was tested, rather than a specific date.
- The auditor must identify the control tests completed by the internal auditor and the procedures relative to that work.
- The auditor can't use evidence from previous engagements as grounds for reduced testing.
- New criteria for measuring, presenting and evaluating systems is required.
- The auditor's report must include newly specified elements, and providers must have enhanced reporting requirements regarding subcontractors.
What are critics' complaints about SSAE 16?
The criticism of SSAE 16 mirrors that of the preceding standard, SAS 70, which is that an examination's subsequent report (the SOC 1 report) attests to self-defined controls. However, there are two other types of SSAE 16 reports -- known as SOC 2 and SOC 3 reports -- that are more complicated and more expensive than the SOC 1 report. SOC 2 and SOC 3 incorporate Trust Services Principles and Criteria from the American Institute of Certified Public Accountants, which focus on security, confidentiality, privacy, system availability and processing integrity. Even so, critics say, the principles and criteria don't provide sufficient detail.
Some observers also argue that the SSAE 16 examination doesn't cover security threats such as insider activity and inappropriate data handling. Without concrete standards, the SOC report may not provide a full picture of a provider's controls, critics add. Kevin McDonald, executive vice president and director of compliance practices at Alvaka Networks, maintains that providers can claim to have passed a certification without actually demonstrating sound controls.
"On several occasions, after organizations 'passed an audit,' I saw that it was really nothing more than lipstick on a pig," McDonald wrote about a year after the SSAE 16 went into effect. "The answers may have been fudged or the issues were fixed only temporarily."
Is the SSAE 16 a compliance certification?
Although many companies that have completed an SSAE 16 or an SAS 70 examination call themselves "certified," the AICPA makes clear that neither SAS 70 nor SSAE 16 is a certification.
"No such certification exists under SAS No. 70, nor does it exist under SSAE No. 16. An SSAE 16 report (as with a SAS No. 70 report) is primarily an auditor-to-auditor communication, the purpose of which is to provide user auditors with information about controls at a service organization that are relevant to the user entities' ICFR," the institute stated.