This article may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details. (October 2017) (Learn how and when to remove this template message)
Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is an auditing standard for service organizations, superseding Statement on Auditing Standards no. 70 (SAS 70). The "service auditor’s examination" of SAS 70 is replaced by a System and Organization Controls (SOC) report. SSAE 16 was issued in April 2010, and became effective in June 2011. Many organizations that followed SAS 70 have now shifted to SSAE 16. Some service organizations are becoming savvy to the ability to use the SSAE 16 report status to show they are more capable, also encouraging their prospective end-users to make having an SSAE 16 standard part of new vendor selection criteria. It is widely known that public companies in the United States fall under the Public Company Accounting Reform and Investor Protection Act, also known as Sarbanes–Oxley or SOX. However, there are also a number of provisions of the Act (e.g. the willful destruction of evidence to impede a federal investigation) that apply to privately held companies.
SSAE 16 is largely an American standard, but it mirrors the International Standard on Assurance Engagements (ISAE) 3402. Similarly, SSAE 16 has two different kinds of reports. A SOC 1 Type 1 report is an independent snapshot of the organization's control landscape on a given day. A SOC 1 Type 2 report adds a historical element, showing how controls were managed over time. The SSAE 16 standard requires a minimum of six months of operation of the controls for a SOC 1 Type 2 report.
SSAE 16 reporting can help service organizations comply with Sarbanes–Oxley's requirement (section 404) to show effective internal controls covering financial reporting. It can also be applied to data centers or any other service that might be used in the delivery of financial reporting.
For reports that are not specifically focused on internal controls over financial reporting, the American Institute of Certified Public Accountants (AICPA) has issued an Interpretation under AT Section 101 permitting service auditors to issue reports. These reports will now be considered SOC 2 audits and focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
SSAE 16 provides guidance on an auditing method, rather than mandating a specific control set. In this respect, it is similar to ISO 27001:2013.
Effective May 1, 2017, SSAE 16 has been superseded by SSAE 18.
- "System and Organization Controls (SOC): SOC Suite of Services". Retrieved 30 May 2017.
- "SSAE 16 overview". Retrieved 11 May 2015.
- "Why Data Centers Need SSAE 16". Data Center Knowledge. Retrieved 11 May 2015.
- "SOC 2 Audit Overview". Retrieved 24 May 2016.
- "SSAE-18 - An Update to SSAE 16". www.ssae-16.com. Retrieved 2017-08-29.