SSAE 16 Type 1
An SSAE 16 type 1 is a management report describing system and design of controls suitability of a service organization. This report bears the following; a management’s written assertion about the service organization that presents fairly it’s systems as designed as well as carried out in time according to schedule. It also lays out how the controls are related to the objective laid down in the systems for the service organization description and seeing that they were well designed to acquire the control objectives in time. The SSAE 16 Type 1 also has the service organization’s system well described and an assurance report from the service auditor.
This is the latest standard set by AICPA, which is better than the SAS70 standard that was introduced in June of 2011.It provides an unbiased third party assessment of management’s claim that the policies and procedures of a service organization were appropriately drawn at a time when the control objectives specified can be attained.
SSAE 16 Type 1 is built to give a service organization’s customers and auditor’s relevant information regarding the controls that have been put in place that will help the organization internal control when it comes to reporting on financial matters. An auditor finds SSAE 16 Type 1 important for the organization for he can use it together with other information that he deems important so that he or she can have a good ground on internal control to plan the financial audit for the user organization.
These auditors use SSAE 16 Type 1 to examine service organizations controls to come up with the following:
See whether the management depicts the systems descriptions accurately and whether their design is appropriate. They also use it to determine whether the description of the system put in place by the management accurately represent each relevant aspect of the service organization controls that should be operating as the date of the report. It also helps auditors determine whether the design provides assurance that is reasonable upon satisfactory adherence of the controls so that the specified controls can be attained.
The SSAE 16 type 1 doesn’t say specifically which set of controls are needed to be vetted during it’s assessment therefore every audit is made to the exact requirement of a service organization that is put under the auditing process. As such, an assessment of the service organization controls that is service specific and is required. It should also be specific to IT controls. Contract and regulatory requirements so that these services can be maintained.
The service organization definition of its control objectives is the one to determine the scope of the assessment requirements. This can also be done through the activities that allow the organization to fulfill it’s specified control objectives.
In the end, SSAE 16 type 1 report of the assessment is made up of a copy of the audit report in hard copy, a PDF format of the audit report is also secured and for internal use only, a report containing well documented recommendations for the management noted from the audit is given.