• Do your research.
  • You have already come across our site, so you have begun the process of researching SSAE 16 and the responsibilities that come with performing one. I would continue to search for SAS 70 related information as well, as most of that knowledge is applicable.
• Find a few CPA firms who perform SSAE 16′s (or SAS 70).
  • You will want to research a number of firms that could perform and sign off on your SSAE 16 Report, which, only CPA firms are permitted to do. This process should be handled with the utmost care as you are putting a lot of trust into the company you choose, they can make or break you.
  • Some things to consider:
    1. The size of your company – You may not be able to afford a large CPA firm.
    2. The clientele you are attracting – Some companies will not feel secure with the quality of your SSAE 16 if it was performed by a firm that isn’t well known.
    3. Total SSAE 16′s or SAS 70′s performed – You do not want to use a company who has never done such work in the past, unless they are comprised of former employees of another quality firm and have decided to take off on their own.
    4. The methodology employed – You will want to quiz the companies and gain comfort around their methods and ensure you are comfortable with their responses and agree based upon your research.
• Narrow your search.
  • Based upon how you felt about each company, the people, the methodology, their previous experience, and of course, cost,  you should narrow down your search to the top 2 companies.
  • Pricing for SSAE 16′s and SAS 70′s can vary greatly depending upon the company performing the work and the size of your organization, however, I wouldn’t expect to pay any less than $25,000-$30,000.
    • You should look for a fixed rate fee so there is no potential for them to raise rates on you as the project progresses.
• Define the scope.
  • Once you have engaged a firm to perform the work, make sure you define the scope of the audit early on in the process. Not doing so could lead to excessive delays and potential cost overruns.
• Define your control objectives and activities.
  • In conjunction with your CPA firm, define the controls and test steps to be tested and make sure that they have been reviewed by process owners and any of the stakeholders at the CPA firm who may be reviewing and/or signing off on the report to ensure everyone is in agreeance. If this isn’t completed prior to testing, you are asking for a world of trouble.
• Perform a Readiness Assessment.
  • You can either choose to perform a readiness assessment on your own, based upon the test steps already defined, or, if you do not have the capacity or ability to do so internally, you can look towards either the firm performing your review or another firm who is skilled in preparing companies for audits.

These steps laid out here will set you on your way to getting your SSAE 16 started up and going and should help to guide you through the toughest parts of the process. Once you have completed all of the steps we have laid out, you should be able to rely on the knowledge of your CPA firm to take you through the finish line.

If you have any further questions please Contact Us!

• Ability to perform outsourcing services for Public Companies.
  • If performing financially significant duties for a Public Company, they are required to use a SSAE 16 qualified provider as it is the only way to give investors assurance over controls that are not performed by the Company in question.
• Public and Private companies are more likely to trust your organization with their data.
  • If you were to trust a company with your data, you would want complete assurance it will be handled with the utmost care
• A year round accessible knowledge source (your auditors).
  • As a service organization, large or small, you will always have questions regarding your business and having a set of auditors in place with access to a wide array of business knowledge, it will allow you to bounce your questions and concerns off of a group of trusted individuals.
• A third party to review your controls and activities to ensure they are functioning appropriately, and give advice on how to improve upon them.
  • Sometimes your internal audit department is good, but, not always as stringent as they should be. This will help to serve as a check on their work, as well as your staff. Additionally, if there were any findings noted, your auditors are in a great position to give you some tricks and tips to improve to ensure everything functions well the following period.
• Improving performance of the organization.
  • Just the knowledge that a review is being performed of an employee’s work that can have far reaching consequences for the company as a whole. No more, “Oh, I didn’t realize that reviewing user access was THAT important to do this month, sorry”, now, everyone knows that if it’s not done, the success or failure of the organization could rest upon them.

Think of the SSAE 16 as an annual investment into your company, increasing potential new clients, productivity and accountability.

Today we will discuss the Carve-out Method.

When management is in the process of writing their description of their system (‘management’s description of the service organization’s system’), there are various ways to address controls or functions relevant to the processes that are outsourced to another organization (‘subservice organization’). Using the carve-out method, you would exclude the subservice organization’s relevant control objectives and related controls from management’s description and scope of the service auditor’s engagement.

Now, this doesn’t mean you don’t need to address the controls that take place at a subservice organization, what it means is that you will need to have controls in place to monitor the effectiveness of the controls at the subservice organization. The most typical way to address this would be to obtain an SSAE 16 from the subservice organization, assuming the relevant controls were covered within their report.

a description of the service organization’s system prepared by management of the service organization.

- Management will need to prepare a description of the control objectives that are in place and being tested at their organization, as it relates to the process that is being reviewed for use by a User Organization. This will read sort of like a narrative of the process and how your control objectives tie in to each other and the process as a whole, giving a User Organization an overview of what and how, at a high level, their data will be handled.

a written assertion by the Service Organization’s management about whether, in all material respects, and based on suitable criteria:

1. the description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date.
2. the controls related to the control objectives stated in the description were suitably designed to achieve those control objectives as of the specified date.

- Management will need to prepare a written assertion attesting to the fair presentation and design of controls. Previously under SAS 70, it was the auditors who reported directly on the controls and management was not required to attest to anything. (There will be a separate post describing this in detail as this is a major difference)

The final component:

a service auditor’s report that expresses an opinion on the matters in b1-2.

- The auditors that are hired to perform the testing will need to review the Management’s assessment of the design of controls and attest to the validity of Management’s opinion. The auditors will walk through the control objectives and control activities in place at your company and verify they are, in fact, designed as Management noted. This is where the auditors will obtain a sample of 1 to support each control activity and express the results of their testing.

Specifics of reporting details for a SSAE Type I will be discussed later on!

Major differences between SAS 70 and the New Standard, SSAE 16 and ISAE 3042:

1) Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:

• The fairness of the presentation of the description of the service organization’s system;
• The suitability of the design of the controls to achieve the related control objectives stated in the description; and
• The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)

2) During the process of understanding the service organization’s system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.

Changes that Directly Impact Type II Engagements

1) The Service Auditor’s opinion on the fairness of the presentation of description of the service organization’s system and on the suitability of the design of the controls would be for a full period, as opposed to a specified date. (i.e. Your report would be for the 6 months covering July 2010 through December 2010.)

• The Type II report would identify the customers to whom use of the report is restricted as “customers of the service organization’s system during some or all of the period covered by the service auditor’s report”

2) Evidence obtained in prior engagements related to the satisfactory operation of controls in prior periods will not be sufficient to reduce the amount of testing performed.

Expected Change Which Didn’t Occur:

While it was expected that SSAE 16 would build upon the previous SAS 70 standard of reporting only on financial reporting activities and allow a service organization to branch out in to other areas of their business, such as regulatory compliance and performance metrics, this was not included within the initial final version of the New Standard and there has been no guidance as to when it would be expected, if ever, to be.

The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter.

Criteria are the overreaching goals that the control objectives and activities that are in place are designed to meet and that the final report is to give assurance on, for example, “The system is protected against unauthorized access (both physical and logical).” To meet this criteria, a company may decide to include controls such as “Firewalls are installed at all external entry points” or “A User Access Review of Access Badges is performed on a Monthly Basis”. Criteria are used as a benchmark to assess the design and operating effectiveness of internal controls at an organization, however, Management is responsible for making sure that the controls in place support the defined criteria sufficiently.


There are best practice criteria available for most industries that reflect prevailing internal controls best practices and requirements from around the world, some of these can be found on the AICPA website if you would like some additional examples.

The Trust Service Principles were designed with a focus on e-commerce systems due to the amount of private/confidential/financial information that flows across the internet daily. When a customer processes a transaction (online retailer), builds a business on your service (SaaS providers), or submits private information, they want to know best practices are being followed by the company to guard against security leaks, lost sales, and damaged data. The most common reports based upon the trust principles are referred to as WebTrust and SysTrust.

The SysTrust review encompasses a combination of the following principles:

• Security: The system is protected against unauthorized access (both physical and logical).
• Availability: The system is available for operation and use as committed or agreed.
• Processing Integrity: System processing is complete, accurate, timely, and authorized.
• Confidentiality: Information designated as confidential is protected as committed or agreed.

The WebTrust certification can fall into the following four categories:

• WebTrust. The scope of the engagement includes any combination of the trust principles and criteria .
• WebTrust Online Privacy. The scope of the engagement is based upon the online privacy principle and criteria.
• WebTrust Consumer Protection. The scope of the engagement is based upon the processing integrity and relevant online privacy principles and criteria.
• WebTrust for Certification Authorities. The scope of the engagement is based upon specific principles and related criteria unique to certification authorities.

The Trust Service Principles which SOC 2 is based upon are modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. Each of the principles have defined criteria (controls) which must be met to demonstrate adherence to the principles and produce an unqualified opinion (no significant exceptions found during your audit). The great thing about the trust principles is that the criteria businesses must meet are predefined, making it easier for business owners to know what compliance needs are required and for users of the report to read and assess the adequacy.

Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 was put in place to address demands in the marketplace for assurance over non-financial controls to prevent SOC 1 from being misused just like SAS 70 was.

Did you know? A business isn’t required to address all the principles, the reviews can be limited only to the principles that are relevant to the outsourced service being performed. Some example industries that might have a need for a SOC 2 include: SaaS Providers, Data Center/ Colocations, Document Production, and Data Analytics providers.