If you’re an organization who provides hosting services, data management services, etc. However, we still receive a fair amount of questions regarding the purpose of an SSAE 16 audit report, the components, and the benefits of a service organization obtaining an SSAE 16 audit report.Īs mentioned before, the purpose of an SSAE 16 report is to report on the controls at a service organization that may have an impact on their clients’ financial reporting. The SSAE 16 has been around long enough now to have gained popularity and familiarity by both service organizations and their clients. New and Improved: The SSAE 16 Audit Report The SAS 70 simply provided a description of controls and did not include any type of management assertion. The SAS 70, however, lacked the level of detail that the SSAE 16 offers. The SSAE 16 report requires a description of a system along with a written assertion by management on the design and operating effectiveness of the controls being reviewed. When the AICPA made the decision to replace the SAS 70, they thought it more appropriate for a service organization audit to be an examination of a system, which is different than an audit of financial statements. What’s the difference between SSAE 16 and SAS 70? One of the key differences between the SAS 70 and the SSAE 16 is that the SAS 70 is an “auditing” standard, whereas the SSAE 16 is an “attestation”. SAS 70, Cruising with The Auditing Standard Not only does the SSAE 16 provide a more comprehensive and descriptive assessment of controls, it also allowed user organizations to appropriately assess the reliability of the controls at a service organization. By introducing a new attestation standard to assess service organizations, the AICPA developed improved assurance by replacing the SAS 70 with the Statement on Standards for Attestation Engagement No. To make a long story short, CPAs in the past were using the SAS 70 to report on things other than financial reports, however, the SAS 70 was never intended to do so. SSAE 18 is the current standard that SOC 1 audits use. Among other changes, SSAE 18 additionally requires that service organizations identify subservice organizations and provide risk assessments to auditors. Like SSAE 16, SSAE 18 is used in SOC 1 reports, but also in SOC 2 and SOC 3 reports, which were previously conducted under AT 101. It supersedes SSAE 16 and is intended to update and simplify previous standards. SSAE 18 is the current set of standards and guidance for reporting on organizational controls and processes at service organizations. SSAE 16 was superseded by SSAE 18 in 2017. Unlike earlier standards, SSAE 16 requires a written attestation from a service company’s management, stating that its description accurately represents organizational systems, control objectives, and operational activities that affect customers. Audits using SSAE 16 generally result in System and Organizational Control (SOC 1) reports. It provides a set of standards and guidance for attestation reporting on organizational controls and processes at service organizations. SSAE 16 is the Statements on Standards for Attestation Engagements no. SAS 70 was superseded by SSAE 16 in 2011, and more recently, by SSAE 18. It provides standards for reporting on controls and processes at service organizations, but, unlike later standards, did not require auditors to obtain a written assertion concerning the design and effectiveness of controls. 70, an older auditing standard developed by the American Institute of Certified Public Accountants (AICPA). SAS 70 is the Statement on Auditing Standards No. Such emphasis on governance and risk management when it comes to reporting on controls at a service organization, is the reason many organizations have chosen to require their vendors, who may have an impact on their ICFR, to obtain an SSAE 16 (SOC 1) Attestation Report. In accordance with Sarbanes-Oxley (SOX), publicly traded companies are responsible for maintaining an effective system of internal control over financial reporting (ICFR). It is especially crucial to consider how outsourcing functions to service organizations could impact your internal control over financial reporting (ICFR). While outsourcing is a great way to cut operational costs and acquire resources that aren’t available internally, it doesn’t come without its risks. Outsourcing critical business functions, such as IT or HR, is a common practice among many businesses, today. What’s the purpose of an SSAE 16 audit and should I pursue one? If you’re new to the world of information security audits, check out this comprehensive guide on the history of SSAE 16, why it replaced the SAS 70, and how becoming SSAE 16 compliant could benefit your business.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |