SSAE 16 Type 1

Saturday, March 10th, 2012

SSAE 16 Type 1


An SSAE 16 type 1 is  a management report describing system and design of controls suitability of a service organization. This report bears the following; a management’s written assertion about the service organization that presents fairly it’s systems as designed as well as carried out in time according to schedule. It also lays out how the controls are related to the objective laid down in the systems for the service organization description and seeing that they were well designed to acquire the control objectives in time. The SSAE 16 Type 1 also has the service organization’s system well described and an assurance report from the service auditor.

This is the latest standard set by AICPA, which is better than the SAS70 standard that was introduced in June of 2011.It provides an unbiased third party assessment of management’s claim that the policies and procedures of a service organization were appropriately drawn at a time when the control objectives specified can be attained.


SSAE 16 Type 1 is built to give a service organization’s customers and auditor’s relevant information regarding the controls that have been put in place that will help the organization internal control when it comes to reporting on financial matters. An auditor finds SSAE 16 Type 1 important for the organization for he can use it together with other information that he deems important so that he or she can have a good ground on internal control to plan the financial audit for the user organization.


These auditors use SSAE 16 Type 1 to examine service organizations controls to come up with the following:

See whether the management depicts the systems descriptions accurately and whether their design is appropriate. They also use it to determine whether the description of the system put in place by the management accurately represent each relevant aspect of the service organization controls that should be operating as the date of the report. It also helps auditors determine whether the design provides assurance that is reasonable upon satisfactory adherence of the controls so that the specified controls can be attained.


The SSAE 16 type 1 doesn’t say specifically which set of controls are needed to be vetted during it’s assessment therefore every audit is made to the exact requirement of a service organization that is put under the auditing process. As such, an assessment of the service organization controls that is service specific and is required. It should also be specific to IT controls. Contract and regulatory requirements so that these services can be maintained.


The service organization definition of its control objectives is the one to determine the scope of the assessment requirements. This can also be done through the activities that allow the organization to fulfill it’s specified control objectives.


In the end, SSAE 16 type 1 report of the assessment is made up of a copy of the audit report in hard copy, a PDF format of the audit report is also secured and for internal use only, a report containing well documented recommendations for the management noted from the audit is given.

403 Forbidden


SSAE 16 – the standard

Thursday, February 2nd, 2012

SSAE 16 – the standard

SSAE 16 stands for Statement on Standards for Attestation Engagements No. 16. It is an auditing standard put forward by Auditing Standards Board (ASB) of American Institute of Certified Public Accountants (AICPA). It has been launched recently. It is the new attest standard. It has replaced the already existing SAS 70 standard. For reporting periods which are ending on or after 15 June 2011, this standard has become compulsory for control reporting at a service organization. This transition from SAS70 to the new standard is an adoption to more globally accepted accounting principles and will help to comply more closely with the international service organization reporting standard –ISAE 3402.

The changes made from SAS 70 to SSAE16 will help companies from the United States compete at international level. It will encourage companies from all over the world to give business to American companies with increased confidence.

SSAE 16 addresses the engagements conducted by service auditors on service organizations for reporting on the design of controls and effectiveness of operations of their company. Companies following this standard will have to produce a description of their system along with providing an Assertion by Management. This auditing standard, also referred as Service Organization Controls (SOC) include a number of improvements in the examination of service providers which will benefit CIO’s and customers of Information Technology service companies.

The engagements conducted by auditors on service organizations can result in two types of reports being issued under SSAE 16. These are Type 1 and Type 2 reports. The Type 1 report is technically defined as Report on Management’s Description of a Service Organization’s System and the Suitability of the Design of Controls. As the definition says it describes the organization control designs and their reliability. The type 2 report is technically defined as Report on Management’s Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of Controls . It along with what Type 1 report describes also shows the effectiveness of the design controls.If a company outsources its services which in turn financially affect another company then the former company would be required to follow SSAE 16 Type 2 standards. The outsourcing company in this case is the Service Organization whereas the other company is User Organization.

SSAE is not a certification. It is an attestation of a specific date. Saying that a company is SSAE 16 certified or compliant is incorrect. Even if a vendor maintains this standard it does mean that its services and operations are sufficient for a company’s needs. The CIO needs to go the vendor’s processes and read the SSAE 16 reports before deciding on the risk involved. The vendors should be checked for annual reports of this attestation. This standard does not change much from SAS 70. Most of the clauses remain the same with two significant changes. They are: earlier on description of design controls was required, now description of the entire system is required and now an Assertion by Management is required which was not required previously.

403 Forbidden


SSAE 16 vs. SAS 70

Wednesday, December 28th, 2011

 SSAE 16 vs. SAS 70

To understand the difference between SSAE 16 and SAS 70, we must first understand the broad definition and framework under which both these standards operate:

SAS 70: Statement of auditing standards number 70 or SAS 70, as it is generally called, is a US auditing standard that pertains to service organizations. This standard requires the auditors to check the various controls that have been established by the service organizations, across the various organizational and operational functions. The SAS 70 standard mandates the auditors to publish a report at the end of the audit, which not only includes the list of controls established by the organizations but also the methods and the steps undertaken by the auditors to determine the existence of controls. The SAS 70 standard was established in the early 1990s in the United States and has undergone many revisions. The SAS 70 was also adopted by many different countries in the world, completely or with minor regional and local modifications.

SSAE 16: Statement of standards for attestation engagements or SSAE 16 was implemented by the auditing standards board of the United States. SSAE 16 was introduced for the main purpose of replacing SAS 70 auditing standard. So, the broad framework of SSAE 16 is heavily borrowed from the framework of SAS 70 but with significant modifications. The service industry, as a whole has undergone significant changes in operational and functional spheres. The auditing standards established by SAS 70 were meant for the service industry of 20 years ago; there were many new aspects that were left uncovered or improperly audited because of the lacunae in the framework. SSAE 16 covers all the aspects that were left open by the SAS 70 standard. Apart from this, SSAE 16 is also an “Attest” standard that is aimed to verify the implementation of controls in service organizations and also to ascertain the relevance and effectiveness of the controls.

The difference between SAS 70 and SSAE 16 is best explained by the comparison chart below:

SAS 70


Audit standard Attest Standard
Auditing of existing controls in service organizations “Attesting” the existence, implementation and effectiveness of controls in service organizations
Restricted only to the reporting of functional controls Expanded scope covers the establishment of controls of the compete functional system
Report the list of controls established by the service organization Provide a detailed report that assesses and attests the implementation of controls along with proof of effectiveness
Does not include all functional and operational aspects of the present day service industry  Includes all functional and operational aspects of the modern day service industry
There is no further scope to improve or modify the existing auditing framework Current framework  of attest standards are up to date and are also provisioned for further modifications, to keep pace with the ever changing service industry scenario
Does not conform to present day International Auditing Standards Framework of SSAE 16 standards are in conformity to International standards


This illustrative chart clearly explains the difference between SAS 70 and SSAE 16. It also clearly establishes the superiority, thoroughness and effectiveness of the SSAE 16 standards.

403 Forbidden


SSAE 16 and Payroll processing companies

Monday, December 26th, 2011

SSAE 16 and Payroll processing companies

Payroll processing companies specialize in providing functional services for payroll operations and also a performing various other payroll related activities, outsourced by their clients. The generalized scope and services provided by the payroll companies are listed below:

Providing payroll services for all the clients who have outsourced the work

Maintaining and updating clients’ employee data

Maintaining and updating payroll related data

Performing all payroll related sub activities

Implement process and functional improvement activities

Ensuring safety and confidentiality of all client related data; Ensuring client agreement confidentiality

Agreeing an abiding by all the rules and stipulations of the clients

Delivering accepted performance and functional parameters

Providing periodic activity and performance reports to the clients

Payroll processing companies, fall under the umbrella of the service industry and are subject to all the audits and attestations that are stipulated for this industry. So, all payroll processing companies are applicable for an SSAE 16 attest engagement. SSAE 16 is an attest standard that is exclusively pertinent to the service industry. When the payroll companies engage auditors for an SSAE 16 attest, they must ensure that they define the scope and also the parameters that fall under the attest engagement. SSAE 16 framework is very robust and it examines all the functional and operational parameters that fall under the scope. Apart from this, the SSAE 16 engagement verifies the presence and also the implementation of controls established by the payroll companies. The examination of controls does not stop at the establishment stage; it is also extended towards examining the effectiveness of all the controls established for functions that fall within the scope.

This robust examination of controls not only provides an indication of functional efficiency of the payroll processing companies; it also points out and highlights the deficiencies in the control mechanisms. Since the SSAE 16 engagement conducts a complete examination of the entire functional system, the payroll processing companies receive a detailed report of the effectiveness of their controls; deficiencies and gaps in the establishment of controls; scope for improvement and overall performance in comparison to the industry standards. The detailed SSAE 16 report not only serves as an eye opener for the payroll processing companies; it also provides detailed insights about the functional aspects of the organizations to their clients.

SSAE 16 attest standards conform to the international auditing requirements. So, a positive SSAE 16 report acts as a certificate of efficiency for all payroll processing companies. The payroll processing companies can share the SSAE 16 reports with their existing clients to reaffirm the faith and business bond that is already established. They can also present this report to potential clients, as a way of providing proof of functional efficiency. SSAE 16 is the latest and the most important attest standard for the service industry. Business entities are aware about thoroughness and robustness of the SSAE standards and are gradually moving towards SSAE 16 standardization; moving away from the traditional SAS 70 audit standards. Payroll processing companies can also benefit, like all other services industry organizations, by adapting to the SSAE 16 standards.

403 Forbidden


SSAE 16 Preparation Tips

Saturday, November 26th, 2011

SSAE 16 Preparation Tips

SSAE 16 is the current standard of control for service organizations and is an enhancement of the SAS 70 standards. Service organizations will need to ascertain the necessity and relevance of the SSAE 16 assessment for their processes and then define the scope of the assessment. Organizations will initially need to have a comprehensive discussion with the relevant stakeholders of the processes, along with the internal auditing department, to understand the requirements and also to assess and determine the process controls that are in existence and those that need to be implemented. Based on this determination, the scope can be defined and published. The scope must be detailed – specifying the list of controls, timelines, operational process and the methods of ratification/verification of the controls.

The organizations then need to have a discussion with the CPA consultant to explain the scope and also to set expectations. The CPAs are better placed to offer inputs about controls and steps of the test on these controls because of their knowledge about the requirements. The organizations can then take these inputs and suggestions to the internal team for further discussions and possible implementations. While conducting the internal discussions, organizations must ensure that all the employees of the concerned departments are privy to the steps. This is important because it is often the back end employees who implement the process controls; their inputs and suggestions are very valuable for the overall success of the endeavor.

When the organizations have detailed and final definitions of the objectives, controls and all related activities, it can be deemed that the SSAE 16 preparation is half complete. They will then need to conduct an internal readiness assessment, prior to the actual audit. Many organizations neglect this step, usually to save some cost and directly jump into the final audit without knowing if they are ready for it. This can only be detrimental to the overall results of the audit. Readiness assessment can easily be completed by the internal stake holders, as long as they understand the requirements, scope and definitions. In some cases where organizations do not have qualified internal audit assessors, they can ask the CPA to perform the assessment or can even hire the services of organizations that specialize in SSAE 16 audit preparations.

To summarize, the three steps of SSAE 16 preparation are – Scope and definitions; reviews and recommendations; readiness testing. Most of the organizations falter in the first and second steps of preparation. This can lead to many open ends in the scope; ambiguity in definitions and gaps or misrepresentations of the controls. In the end, the organizations try to cover up these open ends during the readiness assessment phase and this can only lead to unnecessary delays and miscommunication during the audit. All these steps will need to be sequentially implemented and then, the actual SSAE audit can be a breeze. The CPA is bound to be satisfied with the thoroughness of SSAE 16 preparation of the organization, controls and testing; which can also lead to a quick completion of the assignment.

If you are interested in preparing for an SSAE 16 email us at or simply fill out our Contact form!

403 Forbidden


Difference between SSAE 16 type 1 and type 2 reports

Thursday, November 24th, 2011

Difference between SSAE 16 type 1 and type 2 reports

SSAE 16 type 1 report: This report is aimed at understanding and validating the service organizations systems/controls and also the implementation of the listed controls. For this engagement, the management of the organization will need to prepare detailed descriptions of all the existing controls of the organization; the method of designing the controls; methodology of the implementation of the controls. They will also need to specify the timelines of creation and implementation of the controls within the organization.

The organization will also need to prepare a written assertion that details the scope of SSAE type 1 reports, the date on which the test needs to be conducted and also the relevance and sanctity of the information provided in the description. The organizations will need to submit both the assertion and descriptions to the auditor for the engagement. The job of the auditor for type 1 reports is only to:

-          Test the accuracy and information provided in the description and assertion

-          Test the suitability and the implementation of the controls on the date of the test

The test is done on a basis of one sample examination per control. After the test phase is complete, the auditors will then need to publish detailed report on the results of the sample control tests and also an objective opinion of the overall information provided in the description. Effectively, the SSAE 16 type 1 report establishes the existence of control systems in the service organization and their implementation on the specified date of the test. This report can be of interest to existing and potential clients of the service organizations, as the report confirms the credibility of the service organization.

SSAE 16 type 2 report: This report is more aligned to test the effectiveness of the system controls that have been implemented by the service organizations. For this engagement, the management of the organization will need to prepare the descriptions and assertions and then submit them to the auditor. The auditor will then perform all the activities that are done for type 1 reports, along with a thorough examination of all the controls, for their effectiveness and relevance. The other difference in type 2 report is that it is conducted for a period of time (e.g., six months, one year), as opposed to the “on date” examination of type 1 reports.

SSAE 16 type 2 reports establish the following:

-          Accuracy of information in description and assertion

-          Suitability and implementation of controls for a specific period of time

-          Check for the effectiveness and thoroughness of the controls in the service organizations

SSAE 16 type 2 reports are more relevant from an organizational and client view point because they establish the fact that the service organizations have good systems in place and that these systems ensure continuous, error free and efficient work operations. Usually, service organizations that have not undergone SAS 70 audits previously, ask for a type 1 report to understand where they stand in terms of controls. They also use the type 1 results as observations and guidance, as they work towards becoming operationally ready for type 2 audit.


403 Forbidden


SSAE 16 – The Benefits

Tuesday, November 22nd, 2011

SSAE 16 – The Benefits


Statement on Standards for Attestation Engagements no. 16, or SSAE16 for short, is the attest standard for CPA firms, set by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). According to SSAE 16, Auditing methods have embraced a globally recognizable and accountable method. It also calls for a declaration of how the system works, with a written assertion for the same. The written assertion should follow a specific format and include few essential clauses and is to be drafted by the management.


SSAE 16 Report is drafted in a way it gives insight to customers and accountants of the customers an outline on the control structure features of a firm’s business procedures on different aspects. In short, this report is important for the following:


  •  It’s to assist both customers and auditors to weigh risks and plan auditing process, in line with the financial statements.
  •  Enables auditors to understand how the process works, without really undertaking research at specific organizations.
  •  To summarize, it’s an auditing report from the service auditor, to user auditor, on related internal structures and procedures.

So, are SSAE Reports really beneficial? Who get benefited with SSAE 16 Reports?


SSAE Reports are beneficial for several reasons. They are as listed below:


SSAE 16 Reports are beneficial because:


  •  Public Companies will get more requests for SSAE 16 reports, since, a number of auditors of their customer base will up their research on “system of internal control” during audits of financial statements.
  • Owing to SSAE 16, one time audit should suffice, since both clients and auditors would rely on this report, rather than request for independent reports from time to time.
  • Both public and private companies will trust the organization with SSAE 16 attestation, since they will be able to view and verify the authenticity of the organization’s claims and controls.
  •  This report also gives room for increasing organization’s efficiency, with aspects that were not under scrutiny coming under intense scrutiny.


SSAE 16 Report’s Benefits for a User Organization:


Every user organization will get a Service Auditor’s Report from their respective service organization, with information on the service organization’s controls and efficiency of the same. The user organization also receives a brief outline of the service organization’s control and an external review on the truth of the claims listed in the report. The operation of controls, how they work, how effectively they are put into use, are all reviewed in the independent report.


User Organizations on the other hand, submit a Service Auditor’s Report to their auditors. This report is of great help with preparation of financial statements, without which, the user organization would have to send their auditors to the Service organization to undertake procedures, for which they have pay them.

SSAE 16 Report’s Benefits for a Service Organization:


As for a Service Organization, getting SSAE 16 examination done is of utmost importance. A Service Auditor’s Report, backed by an independent analysis report, will boost the trust from it’s user organizations, since the controls and procedures are listed in detail.


Without a Service Auditor’s Report, the service organization would have to perform multiple audits, every time a user organization requests for one.


SSAE 16 Reports are done by professionals who are well versed with audit, risk and control aspects, with extensive experience in auditing, accounting and information security. In short, a SSAE 16 ensures the service organization is evaluated on it’s control policies, procedures and other related aspects, by an independent professional. This way, not just the authenticity, also possible improvements can be determined in key operation areas.


Contact a provider today!

403 Forbidden


Information about AT section 101

Wednesday, November 16th, 2011

Information about AT section 101

AT section 101 is the list of codified standards that acts as guidelines for the reporting of SOC 2. The service Organization Control 2 (SOC 2) reports are those that pertain to internal controls that fall outside the purview of financial reporting. AT section 101 is codified in accordance to the guidelines of AICPA and is also subject to periodic reviews and amendments, just like all other sections and guidelines. SOC 2 attest engagements can be independent or a part of a larger engagement which includes other reporting controls but reporting procedure for this engagement will have to be done separately and as per the section standards. AT section 101 engagements will follow the standard initiation procedure where the entities employ the services of professional practitioners by giving out assertions or by completing all relevant standard formalities.

The assertions must give a detailed description of the scope of engagement;

availability of relevant data; period/timeline for which the engagement is conducted and the requirements. The requirements may be the completion of an examination or a report on subject matter(s) or even a review. The practitioners who undertake these engagements bear the responsibility of adhering to AT section 101 standards, along with the implementation of acceptable quality norms. They also are technically trained and experienced in conducting the attest engagements. They also have adequate subject knowledge to understand and analyze the subject information. The entities take the responsibility for integrity of information in the assertion and also for the sanctity and relevance of data provided.

The first step of the engagement begins when the practitioners examine the data and the pertinent criteria.

They also establish and verify the criteria determining procedure of the entities. The practitioners then proceed with their examination, based on the directives and standards provided in AT section 101. The standards detail out the procedures for all the steps that not only ensures independence of the examination but also the thoroughness of the engagement. The procedures include standards for implementation of field work; gathering of all relevant evidence; reporting requirements and presentation; examination reports procedures; review reports procedures, etc. The practitioners follow the standard guidelines in a systematic and chronological manner, which ensures thoroughness of the attest engagement.

The procedures of the AT section 101 engagements are not too different from other sectional standards.

The importance of this section lies in its inclusion of subject matters and thoroughness of the procedures. AT section 101 is more aligned but not limited to service industry, especially the modern day aspects of the industry. There are many innovations and advancements in operational, intra functional and implementation aspects of the service industries. The entities also use innovative technologies and advanced tools, which are in a constant state of change and improvement. It becomes difficult for the other standards to include all these aspects as their engagement subjects. They also do not have the standards of measurement or even the list of acceptable criteria. AT section 101 is a fairly recent inclusion in the standards and includes standards for all the new aspects of the industries. It is therefore, invaluable for the entities, in terms of compliance to industry standards and also as a measure of their performance.

403 Forbidden


AT Section 101 SOC 2 Quick Notes

Monday, November 14th, 2011

Components of a System:

  • Infrastructure – The physical hardware components of a system
  • Software – The programs and operating software of a system
  • People – The personnel involved in the operation and use of a system
  • Procedures – The automated and manual procedures involved in the operation of a system
  • Data – The information used and supported by a system

5 Trust Service Principles:

  • Security – The system is protected against unauthorized access (physically and logically)
  • Availability – The system is available for operation and use as committed or agreed
  • Processing Integrity – System processing is complete, accurate, timely, and authorized
  • Confidentiality – Information designated as confidential is protected as committed or agreed
  • Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice.


The trust services criteria for each principle are organized into four broad areas:

  • Policies– The entity has defined and documented its policies relevant to the particular principle
    • Policies refer to written statements that communicate management’s intent, objectives, requirements, responsibilities, and standards for a particular subject
    • Communications – The entity has communicated its defined policies to responsible parties and authorized users of the system.
    • Procedures – The entity placed in operation procedures to achieve its objectives in accordance with its defined policies
    • Monitoring – The entity monitors the system and takes action to maintain compliance with its defined policies.


TSP 100 Paragraph .07 states the following:

In the trust services principles and criteria, the criteria are supported by a list of illustrative controls that, if operating effectively, enable a system to meet the criteria.  These illustrations are not intended to be all- inclusive and are presented as examples only.  Actual controls in place at an entity may not be included in the list, and some of the listed controls may not be applicable to all systems and client circumstances.  The practitioner should identify and assess the relevant controls that the client has in place to satisfy the criteria.  The choice and number of those controls would be based on such factors as the entity’s management style, philosophy, size, and industry.



403 Forbidden


SSAE 16 Readiness

Sunday, November 6th, 2011

I have written this article to assist those who have not had any experience with the SAS 70 or SSAE 16 Audit. So I am going to give you some tips on items that can be done right away and other items that can be done a bit later. The following information can be used as a checklist that will assist you in preparing for the SSAE 16 audit. A more robust version will be available for companies that have a bit more experience with the SAS 70 or SSAE 16 process.

SSAE 16 Readiness

Being Prepared for an SSAE 16 Audit can save time and money!

Gather information.

Obviously you are headed in the right direction, reading the info on this site will help you get a better understand. However, if you need further assistance please Contact Us.

You might start by looking into auditors that perform SSAE 16′s. You may consider researching several firms that could sign off on your SSAE 16 report, only a CPA firm is allowed to do that. The process should be handled very carefully as you will be trusting the company you select to do a complete job.

Some Keys to your decision:

1. Can you afford a large CPA firm? Your company size may dictate the cost for such a service.

2. Are your clients going to demand only the largest (and most expensive) CPA firms handle your SSAE 16 audit? You have to know your clientele.

3. Make sure that the companies you are looking into have done this work in the past. If not, make sure that they at least have auditors that have done SSAE 16 audits previously.

4. What are their methods? Be sure you are comfortable with the process they use to ensure you comfortable with their reply and agree on protocol.

Start narrowing your list. Begin considering the facts you gather and try to decide on a few companies you would like to work with. Of course, do not forget about cost. The price ranges can vary depending on the audit Type and the size of your company, however SSAE 16 audits can range for $15,000-$30,000 on average. You should make sure to agree on a rate for your audit so there is no chance for the audit company to change pricing down the road.

Make sure to clearly define your scope. Upon selecting a CPA firm to do the audit, make sure that you define your objectives right from the start. If you miss this step you can run into delays and cost issues. In partnership with the firm conducting the audit, be sure to identify the processes and controls that are going to be tested with the persons conducting the review as well as the persons signing off on the review. If you fail here, you may run into trouble later.

Conduct an SSAE 16 Readiness Assessment. You can elect to handle your readiness assessment yourself or you can outsource to a company that is comfortable doing so in the event you do not feel prepared to handle it.

This information should give you a good idea of how to start preparing for an SSAE 16 audit. Once you have gone through all of these steps then you simply have to choose a firm to do the SSAE 16 audit, which likely will be successful due to your preparation.




403 Forbidden