What is Statement on Auditing Standards (SSAE) No. 16 ("SSAE 16")
SSAE 16 is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to provide a mechanism by which service organizations can demonstrate the establishment of effectively designed control objectives and control activities to their customers, via an in-depth audit of the processes that are related to the services rendered to their customers.
There are three (3) key reasons that service providers engage an auditor to prepare a SSAE 16 report:
Replaces the need of customer organizations to perform their own audits of services rendered by the service organization thereby minimizing disruption of operations
Provides the service organization an independent operational assessment identifying opportunities for improvement regarding services rendered
Serves as a marketing tool by which service organizations can provide potential clients the SSAE 16 report as a validation regarding services offered
SAS 70 STANDARD
Acceptable for reports with specified dates/review periods ending before June 15, 2011.
SSAE 16 and ISAE 3402 are effective for reports with specified dates/review periods ending on or after June 15, 2011. Both standards may be adopted early by services organizations.
SAS 70 is a simple audit standard that addresses the performance of a SAS 70 Audit and the use of a SAS 70 audit report by user entities and user auditors.
SSAE 16 and ISAE 3402 are the attestation standards that address reporting on controls at a service organization. Separate audit standards exist for addressing audit considerations relating to an entity using a service organization.
Requires management to provide written representations in the form of a management representation letter that is obtained by the service auditor prior to the issuance of the SAS 70 audit report, but does not require management assertions like those required by SSAE 16 and ISAE 3402.
Management of service organizations are required to provide a written assertion in the body of the report about the fair presentation of the description of the service organization's system, the suitability of the design of the controls, and the case of a Type 2 report, the operating effectiveness of the controls. These assertions accompany management's description of the service organization's system and are similar in nature to those that were previously included in SAS 70 audit management representation letters. A Separate management representation letter is also required.
Management assertion, and the underlying suitable criteria, are not a component of a SAS 70 audit report.
A service organization's management is responsible for specifying the criteria that it used to prepare the description of it's system. The minimum suitable criteria are described in the standards and are the determining factor as to whether an assessment constitutes a Type 1 or Type 2 audit.
SUITABILITY OF DESIGN OF CONTROLS
Type 1 and Type 2 opinion letters opine on the suitability of design of controls as of a specified date in time.
Similar to SAS 70 audits, Type 1 opinion letters opine on the suitability of design of controls as of a specified date in time. However, Type 2 opinion letters are now required to opine on the suitability of design of controls over the entire specified review period.
SAS 70 STANDARD
EVIDENCE OBTAINED IN PRIOR ENGAGEMENTS
A service auditor may use evidence from prior service auditor's engagements to reduce the nature, timing, and extent of the tests of operating effectiveness.
A service auditor may not use evidence obtained in prior engagements about the satisfactory operation of controls in prior periods to provide a basis for a reduction in testing, even if it is supplemented with evidence obtained during current period.
USE OF INTERNAL AUDIT'S WORK PRODUCT
A service auditor is not required to disclose its use of internal audit's work product.
In the case of a Type 2 report, a service auditor is required to disclose the nature and extent to which it relied on the work of the internal audit function in its description of tests of controls. The service auditor's procedures with respect to that work must also be disclosed.
RESTRICTIONOF REPORT USE
Standard opinion letter language restricts use of the report to the service organization's management, its customers, and their customers' financial statement auditors.
Standard opinion letter language is modified to restrict use of the report to the service organization's management, customers of the service as of a specified date (in the case of a Type 1 report), or during the specified review period (in the case of a Type 2 report), and the customers' financial statement auditors.
Standard opinion letter language defines intended users of the report as customers of the service and the customers' financial statement auditors. In addition the service auditor may include working that specifically restricts distribution of the report other than to intended users, its use by others, or its use for other purposes.
INCLUSIVE REPORTING METHOD
No requirement to obtain.
Subservice organizations are required to provide assertions and written.
SSAE 16 Diagnostic
A SSAE 16 diagnostic is an ideal, low cost starting point for companies who have not had a SSAE 16 or other controls based audit procedures previously performed. Our SSAE 16 diagnostic is designed to assist our clients to make a determination regarding their preparedness for an actual SSAE 16 audit. Our findings, areas we believe need to be addressed prior to an actual SSAE 16 audit, are only reported internally to management.
Type I SSAE 16 Audit
Includes an opinion on the fairness of the presentation of a description of controls in operation and how the design of the controls achieves the specified control objectives as of a point in time.
A Type I SSAE 16 audit may be preferable when your company:
Has never had a SSAE 16 audit performed
Has concerns regarding its readiness for a Type II SSAE 16 audit
Needs a SSAE 16 report to be issued within a short timeframe
Has no contractual obligation with its customers to have a Type II SSAE 16 audit performed
Type II SSAE 16 Audit
Report includes the information contained in a Type I service auditor’s report, but also includes an opinion on whether the specific controls were operating effectively during the period under review.
A Type II SSAE 16 audit may be preferable when your company:
Provides a significant level of services to companies impacted by the Sarbanes-Oxley Act of 2002
Is contractually obligated to provide a Type II SSAE 16 audit report to customers
Is often visited by various third parties looking to perform a variety of audit procedures
Agreed-Upon Procedures Reviews
There are instances where it is not necessary to perform a SSAE 16 audit, but it is necessary for a company to report upon their achievement of certain control objectives. In such a scenario, we would advise an agreedupon procedures review.
These reviews have a defined set of procedures, such as verifying the accuracy, integrity, timeliness and confidentiality of information processed by the service organization
Designed to give independent third-party verification of selected controls to third-parties, such as customers and financial institutions, e.g. lenders
Our SSAE 16 Services Team is committed to providing our clients with the following:
A team approach to client service, utilizing all of the resources of our firm
A flexible, practical cost-effective approach to the delivery of a SSAE 16 product
The technical expertise you value and the personal service you deserve
Accessibility to engagement partners and professional staff
A detailed proposal and project plan to ensure that you receive the appropriate solution for your business
Affiliates in most major North American cities through our membership with the Leading Edge Alliance
The Marcum Advantage
Our "4-Fold" method divides the engagement into four phases Analysis, Remediation, Fieldwork, and Reporting
Our approach ensures that our clients receive a high degree of efficiency, minimized disruptions to their business, and direct attention
Team leaders with significant experience performing SSAE 16 audits
National firm service without the associated high cost