Frequently Asked Questions on SSAE 16

What is the New Standard for Service Organizations?

Statement on Standards for Attestation Engagements (SSAE) 16 is the new standard meant for Service Organizations. It has replaced the much famous SAS 70 standard. SSAE 16 has been put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).


From when the new standard SSAE 16 will be effective?

Statement on Standards for Attestation Engagements (SSAE) 16  will be effective from 15 June, 2011.


What is meant by Attestation in SSAE 16?

In contrast to the SAS 70 (an auditing standard) SSAE 16 is an “attest” standard, falling under the attestation framework. As per the AICPA, under SSAE 16 examining controls at a service organization should not be treated as an audit, rather, it should fall under the “attest” standards, hence the name Statement on Standards for Attestation Engagements (SSAE) no. 16.


What is meant by System in SSAE 16?

In the new standard SSAE 16, focus has shifted to the description of the service organization’s system rather than to controls. The term “system” includes the following components:

  • Procedures used by the organization
  • People employed by the organization
  • Software used by the organization
  • Data handling by the organization
  • Infrastructure of the organization

What is meant by written assertion by Management in SSAE 16?

It is one of the significant change in the standard from SAS 70 to SSAE 16. Now Management of the Service Organizations has to provide a written Assertion that must be provided to the service auditor (CPA) representing and should covers the following points (but not limited to):

  • System Description: It should include the description of the service organization’s “system.”
  • Suitable Designed Controls : Explanation for that all the control objectives were suitably designed (SSAE 16 Type 1)
  • Effective Operating Controls : Explanation for that all the control objectives were operating effectively (SSAE 16 Type 2)
  • Basis for Assertion: A confirmation that management’s description  of the service organization’s system was designed and implemented as of the date of the assertion.

What are Sub-Service Organization Reporting Requirements in SSAE 16?   Or What is Carve-out Method or Inclusive Method?

A Sub-Service Organization is one who provided Services to a Parent Service Organization. For including the subservice organization in the reporting for SSAE 16, the following applies:

  • Carve-out Method:  In this method, the Service Organization’s description of its “system” should include the nature of the services performed by the Sub-Service Organization, excluding the subservice organization’s control objectives and related controls. And the description shall include what controls are in place for monitoring the effectiveness of controls at the subservice organization.
  • Inclusive Method:  Under this method, the Service Organization’s description of its “system” is to include the services performed by the actual subservice organization, along with the relevant control objectives and related controls of the subservice organization.

What is Risk Identification?

Standard requires Service Organization’s Management should identify Risks that can prevent the achievement of the stated control objectives. And also require determining that if controls would provide reasonable assurance that those risks would not prevent the control objectives from being achieved.

Management should also share their identification of risk with the Service Auditor. Organizations having Sarbanes-Oxley requirements, can use their report for the risk identification.

How to prepare for SSAE 16?

Path for SSAE 16 Implementation:

  • Prepare a Plan: A plan should be prepared with time line for the new standard.
  • Allocate Resources: Adequate Internal Resources should be allocated for doing Internal Audit functions.
  • Gap Analysis: Detailed Gap Analysis should be performed to check the current implementation status. Gap Analysis can be done for As-Is Analysis at the initiation or in the middle of implementation to check compliance. External auditors can help for effective Gap Analysis.
  • Sub-Service Organizations: Service organization shall educate its Sub-Service Organizations,  for the new requirements and the requirement of Management Assertions from them.
  • CPA Attestation: Last step in the implementation is the attestation from the CPA, after completing and providing necessary artifacts to the CPA.