What Is SSAE 16 and Why Is It Now a SOC 1 Report?

Understanding SSAE 16 and Its Evolution to SOC 1 Reports

#

Statement on Standards for Attestation Engagements No. 16 (SSAE 16) served as a framework for auditors to evaluate and report on the controls at service organizations. This standard enabled a service organization to demonstrate the effectiveness of its internal controls to its clients. The primary goal of SSAE 16 was to provide a uniform approach for service auditors to assess controls that might impact a user entity’s financial reporting. It was designed to offer transparency and assurance regarding the processes and controls implemented by third-party service providers.

Understanding SSAE 16

SSAE 16 superseded Statement on Auditing Standards No. 70 (SAS 70) in June 2011. An SSAE 16 engagement involved three main parties: the service organization, which provides services to its clients; the user entity, which is the client relying on the service organization’s controls; and the service auditor, an independent certified public accountant (CPA) firm performing the audit. From the service organization’s perspective, the purpose of an SSAE 16 report was to provide their user entities with assurance about the internal controls relevant to the services they deliver. The report typically included a description of the service organization’s “system,” which encompasses the services provided, along with supporting processes, policies, procedures, and personnel.

Control objectives within an SSAE 16 context represent the aims or purposes of specific controls at the service organization. These objectives address the risks that the controls are designed to mitigate. Control activities are the actual processes and procedures implemented to achieve these objectives, such as segregation of duties or access controls. The service auditor evaluates these elements to form an opinion on the service organization’s control environment.

Types of SSAE 16 Reports

SSAE 16 reports were categorized into two distinct types: Type 1 and Type 2. A Type 1 report focused on the fairness of the service organization’s description of its controls and the suitability of the design of those controls. This report provided a snapshot of the controls as they existed on a specified date, indicating whether the controls were appropriately designed to achieve their objectives. A Type 1 report did not include testing of the operating effectiveness of the controls.

In contrast, a Type 2 report was more comprehensive, building upon the elements of a Type 1 report. It included an opinion on the fairness of the description and the suitability of the design of controls, similar to a Type 1 report. A Type 2 report also provided an opinion on the operating effectiveness of the controls over a specified period. This involved the service auditor performing detailed tests of the controls and reporting the results. The key distinction between the two types was that a Type 1 assessed design at a point in time, while a Type 2 evaluated both design and operational effectiveness over a period.

The Evolution of SSAE 16

SSAE 16 was superseded by Statement on Standards for Attestation Engagements No. 18 (SSAE 18), effective May 1, 2017. This transition was part of an ongoing effort by the American Institute of Certified Public Accountants (AICPA) to clarify and recodify attestation standards. What was commonly referred to as an “SSAE 16 report” is now primarily known as a SOC 1 (Service Organization Control 1) report. This change in terminology reflects the broader framework of System and Organization Controls (SOC) reports under SSAE 18.

Under the SSAE 18 framework, different types of SOC reports address specific areas of control. A SOC 1 report focuses on controls at a service organization that are relevant to a user entity’s internal control over financial reporting (ICFR). This report directly fulfills the purpose of the former SSAE 16 report.

Organizations also issue SOC 2 reports, which pertain to controls related to security, availability, processing integrity, confidentiality, and privacy, based on the AICPA’s Trust Services Criteria. A SOC 3 report is a general-use version of a SOC 2 report, less detailed and suitable for public distribution. While the term “SSAE 16” may still be searched, organizations today obtain and issue SOC reports, predominantly SOC 1, to provide assurance regarding financial reporting controls.

Importance for User Entities

User entities rely on these reports, now primarily SOC 1 reports, to gain assurance over the controls at their service organizations. These reports assist user entities in fulfilling their own audit requirements, particularly those related to financial statement audits. Compliance with regulations like the Sarbanes-Oxley Act (SOX) often necessitates understanding the controls of third-party service providers that impact a company’s financial reporting.

When a user entity outsources functions such as payroll processing, data hosting, or claims administration, its financial reporting can be directly affected. The user entity’s auditors need to understand and potentially rely on the controls at the service organization. SOC 1 reports provide independent assurance from a service auditor, reducing the need for the user entity’s auditors to directly audit the service organization’s controls. This process streamlines the audit for the user entity, making it more efficient and effective by leveraging the work performed by the service auditor.