Criteria, as defined by the SSAE 16 guidance are:

The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter.

Criteria are the overreaching goals that the control objectives and activities that are in place are designed to meet and that the final report is to give assurance on, for example, “The system is protected against unauthorized access (both physical and logical).” To meet this criteria, a company may decide to include controls such as “Firewalls are installed at all external entry points” or “A User Access Review of Access Badges is performed on a Monthly Basis”. Criteria are used as a benchmark to assess the design and operating effectiveness of internal controls at an organization, however, Management is responsible for making sure that the controls in place support the defined criteria sufficiently.


There are best practice criteria available for most industries that reflect prevailing internal controls best practices and requirements from around the world, some of these can be found on the AICPA website if you would like some additional examples.

Tags: Criteria, determine best practices criterion, requirements for ssae 16, sase 16 requirements, soc 1, SSAE 16, ssae 16 criteria, ssae 16 criteria manual, ssae 16 definitions glossary, ssae 16 guidance, ssae 16 requirements, SSAE 16 Terminology, SSAE No. 16, ssae standards, ssae16 availability criteria, ssae16 criteria

This entry was posted on Thursday, February 28th, 2013 at 11:39 am and is filed under SOC 1, SSAE 16 Terminology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.