The SSAE16 Auditing Standard

The SSAE16 Auditing Standard

SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from SAS 70 to SSAE 16 will help you and your counterparts in the US compete on an international level; allowing companies around the world to give you their business with complete confidence.

SSAE16 is now effective as of June 15, 2011, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in an SOC 1 Report.

The soon to be effective, SSAE-18, is expected to follow a similar reporting structure to the SSAE-16 within a SOC 1 report.

Who Needs an SSAE 16 (SOC 1) Audit?

A service organization’s services are part of an entity’s information system if they affect any of the following:The classes of transactions in the entity’s operations that are significant to the entity’s financial statements. The procedures, both automated and manual, by which the entity’s transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements.The related accounting records, whether electronic or manual, supporting information, and specific accounts in the entity’s financial statements involved in initiating, recording, processing and reporting the entity’s transactions. How the entity’s information system captures other events and conditions that are significant to the financial statements. The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:

  • Payroll Processing
  • Loan Servicing
  • Data Center/Co-Location/Network Monitoring Services
  • Software as a Service (SaaS)
  • Medical Claims Processors

What you Need to Know:

Before starting the SSAE 16 process, there are a number of considerations one must take into account that can save considerable time, effort, and money in the long run. Use the following items as a mini checklist for yourself:

  • Does my Company need an SSAE16, or, are we doing it just because someone asked?
  • Reports on the low end can run at least $15,000 a year, will the business lost be less of a burden than the cost of the report itself?
  • Does your company have defined Business Process and IT controls in place, or, will you need assistance developing and implementing them (readiness assessment)?
  • Have you determined the controls in place which affect the outsourced services being provided?
  • Have key stakeholders been defined and included in discussions?

There are many other issues to consider before engaging a CPA firm to help with your SSAE 16, for a more detailed ‘checklist’ – please see The SSAE 16 Checklist

You may have heard SSAE-18 is on the horizon for reports issued as of May 1, 2017. There are some important updates discussed in here: SSAE-18 – An Update to SSAE-16.

As the standard is formalized and the date approaches we will continue to provide more information to help you prepare for these changes.

28 Responses

  1. I had my internship in an auditing firm. They are very strict when it comes to balancing assets of any company they are handling.

  2. This review is an impediment to smaller companies trying to compete in this industry. The cost of performing an SSAE16 in many instances is larger than the revenue realized from the customers requesting it of the supplier. A smaller company may be focused on one aspect of the entire process, but the SSAE16 makes no accomodation for that possibility. Instead the entire review would need to be done and the report filled in with a lot of DNA's, and then requireing the signature of a CPA that perhaps has never even visited the company.

  3. Really nice job,There are many people searching about that now they will find enough sources, Also looking forward for more tips about that…

  4. Accounts auditor meant a trusty financial recommendation of any corporation from third accounts expert like as auditor or audit organization. By follow this financial recommendation people or shareholders get ensure about their company’s financial condition. In the same way in IT department have needed IT auditing to solve of IT problem like as website technical problem etc.

  5. What does a student have to do to take a position a opportunity for being chosen for an internship in this field? I would be enthusiastic about an chance like that.

  6. “SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70.”

    – yeah right. I do agree with you right then.

  7. Really awesome job,There are many individuals looking about that now they will discover enough resources, Also anticipating for more guidelines about that.

  8. auditing standards have to be a concern for many individuals looking to discover resources and guidelines.

  9. Thank you for updating on new auditing standards. Auditing details do really help in understanding better about finances and tax returns.

  10. I am so happy to read this. This is the kind of SSAE 16 manual that needs to be given and not the random misinformation that’s at the other blogs. Thanks for sharing this.

  11. Great information, very clear and concise! I read it through twice to try sand absorb as much as I could for future reference.

  12. This is of great knowledge for me I just like reading such stuff. Do you have any ideas of what ssae 16 reivew costs?

  13. Based on my own personal experience with SSAE16, I agree with those who say that the cost of implementation will many times…if not always…exceed the possible financial gain from the customer requesting the review. This is a good example of a well intended effort that does not meet the practicality test.

  14. Thanks to a brilliant effort of your part in publishing this article on SSAE 16 reports.

  15. When you say “allowing companies around the world to give you their business with complete confidence,” is that confidence the equivalent of – say – getting a background check performed on a stranger, or more in line with offering accreditation as with the BBB?

  16. Thanks for sharing this very useful information. I’m going to bookmark your site for my future references…

  17. They are maintaining the standard procedure.They can set an example for all. This type is audit is essential in many companies.

  18. I am a business owner and I am very glad to know your information that you’ve writing about the auditing concerning issue. Which helps me a lot to run my business smoothly. Thanks 🙂

  19. A smaller company may be focused on one aspect of the entire process, but the SSAE16 makes no accomodation for that possibility, I don’t think?

  20. I really respect people who can read those kinds of documents without their eyeballs drying out! Tax is a really useful subject to learn but all this stuff makes me respect auditors and tax lawyers even more.

  21. A top retail trade group executive has called for tougher security standards that could mean more spending for the industry, its banks and business partners after a series of data breaches at major merchants.

  22. Companies must apply high standards in their business process outsourcing projects and contracts in order to become reliable and empower their brand’s status online and offline.

Leave a Reply

Get Our Emails

SOC Reporting Guide

Popular SSAE Resources

SOC 1 Report

A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The

Read More »
%d bloggers like this: