What Is an SSAE 16 Report and What Is Its Purpose?

An SSAE 16 report provided insight into the internal controls of service organizations that impacted their clients’ financial reporting. These reports offered assurance to user entities about the effectiveness of controls implemented by third-party service providers. By detailing the control environment, an SSAE 16 report aimed to foster transparency and trust in outsourced processes.

Understanding SSAE 16 Reports

Statement on Standards for Attestation Engagements No. 16 (SSAE 16) was an auditing standard issued by the American Institute of Certified Public Accountants (AICPA) to guide service organizations in reporting on their internal controls. Introduced in 2010, it superseded SAS 70, with an effective date for reports on or after June 15, 2011. The primary purpose of SSAE 16 was to establish guidelines for service organizations to assess and communicate the effectiveness of their internal controls, particularly those relevant to a client’s financial reporting. This standard helped ensure the confidentiality, availability, and integrity of client data when processes were outsourced to third parties.

SSAE 16 was designed to align with international standards, specifically ISAE 3402. It addressed the necessity for user entities to understand the control environment of service organizations they relied upon, especially when these controls could affect the user entity’s financial statements. For instance, companies outsourcing payroll, data hosting, or claims processing often required an SSAE 16 report to assess the risks associated with these services. It provided a structured way for auditors of user entities to rely on the service organization’s controls without conducting redundant audits.

SSAE 16 has since been superseded by SSAE 18, effective for reports dated on or after May 1, 2017. While SSAE 18 introduced enhancements, the foundational principles and report structures established by SSAE 16 remain relevant for understanding the evolution of service organization controls reporting.

Key Elements of an SSAE 16 Report

An SSAE 16 report contained several components providing an overview of a service organization’s control environment. These included:

Management’s Assertion: This was the service organization’s written statement attesting to the fair presentation of its system description and the suitability of its controls’ design. For Type 2 reports, this assertion also affirmed the operating effectiveness of those controls over a specified period.
Independent Service Auditor’s Report: This section presented the auditor’s opinion on management’s assertion and the description of controls. It provided assurance regarding the accuracy and reliability of the information presented within the report.
Description of the Service Organization’s System: This outlined the services provided, the systems and processes involved, and how transactions were initiated, authorized, recorded, and processed.
Applicable Control Objectives and Related Controls: This defined the specific control goals the service organization aimed to achieve and the actual controls implemented to meet these objectives.
Tests of Controls and Results: (For Type 2 reports) This detailed the audit procedures performed by the service auditor and the findings regarding the operating effectiveness of the controls over the specified period.

Distinguishing Report Types

SSAE 16 reports were issued in two distinct types, each offering a different level of assurance regarding the service organization’s internal controls. A Type 1 SSAE 16 report provided an opinion on the fairness of management’s description of the service organization’s system and the suitability of the design of its controls to achieve specified control objectives as of a specific date. This report served as a snapshot, indicating whether controls were appropriately designed at a particular moment in time. It did not include testing of the operating effectiveness of those controls.

In contrast, a Type 2 SSAE 16 report was more comprehensive, building upon the Type 1 assessment by evaluating the operating effectiveness of the controls over a specified period, typically six to twelve months. This report encompassed the fairness of management’s system description, the suitability of the design of controls, and the results of the service auditor’s tests to determine if the controls operated as intended throughout the specified period. The inclusion of testing and results made the Type 2 report more valuable for user entities requiring assurance about consistent control performance.

Parties Involved

The SSAE 16 report process involved three primary parties, each with distinct roles.

The Service Organization was the entity providing services to user entities, whose internal controls could impact the user entities’ financial reporting. This organization was responsible for establishing, maintaining, and describing its internal control system. Management also provided a written assertion about the effectiveness of these controls.

The User Entity was the client of the service organization, relying on the SSAE 16 report to understand the service organization’s internal controls. These entities used the reports to assess risks associated with outsourcing functions and to fulfill their own regulatory or audit requirements, such as Sarbanes-Oxley Act (SOX) Section 404 compliance. The report allowed user entities and their auditors to evaluate the impact of the service organization’s controls on their financial statements.

The Service Auditor was an independent Certified Public Accountant (CPA) firm engaged by the service organization to perform the SSAE 16 examination and issue the report. The service auditor’s role included assessing management’s assertion, evaluating the fairness of the system description, and, for Type 2 reports, testing the operating effectiveness of the controls. The auditor then issued an opinion based on these assessments, providing an objective evaluation of the service organization’s control environment.