Introduced by American Institute of Certified Public Accountant (AICPA), SSAE 16 is US regulatory requirement in cases where data is regulated and/or sensitive (such as in Sarbanes-Oxley (SOX) compliance), Where it is essential to know that service organizations managing this data have effective and well-documented controls in place.
SSAE 16 has two report types (audit stages):
Type 1: “Report on management’s description of a service organization’s system and the suitability of the design of controls”.
- Report is as of point in time
- Looks at the design of controls – not operating effectiveness
Type 2: “Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls”
- Report covers a period of time, generally not less than 6 months
- Includes tests of operating effectiveness
- Identifies instances of noncompliance of the stated controls.
SSAE 16 has three SOC types:
SOC 1 Reports: Reporting on controls relevant to internal control over financial reporting (ICFR).
SOC 2 Reports: Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy
SOC 3 Reports: Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy in accordance with general Trust Service Principles.
Trust Service Principles:
Security: The system is protected against unauthorized access (both physical and logical).
Availability: The system is available for operation and use as committed or agreed.
Processing Integrity: System processing is complete, accurate, timely, and authorized.
Confidentiality: Information designated as confidential is protected as committed or agreed.
Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA.
We help organizations with our 6 step approach for successful attestation of SSAE-16.
For more information write to us: