Author Archives: admin

SSAE 16 vs ISAE 3402 – Part 1

SSAE 16 was built upon the ISAE 3402 framework, which essentially is the same thing, but accepted at an international level with a number of deviations to be discussed here over time. The AICPA and other standard settings organizations are now encouraged to design their frameworks for reporting on controls at a service organization around the ISAE 3402 framework, this will allow for increased fluidity and lower expenses to complete globally. ISAE 3402 was intentionally designed to allow for minor modifications to adjust for local protocols and existing frameworks.

SSAE 16 contains 9 deviations from the ISAE 3402 framework, at a high level include:

      1. Intentional Acts by Service Organization Personnel
      2. Anomalies
      3. Direct Assistance
      4. Subsequent Events
      5. Statement Restricting Use of the Service Auditor’s Report
      6. Documentation Completion
      7. Engagement Acceptance and Continuance
      8. Disclaimer of Opinion
      9. Elements of the SSAE Report That are Not Required in the ISAE 3402 Report

These topics will be delved into in greater depth at a later time, however, are not of concern if you do not plan on performing outsourcing services for an organization located outside of the United States.

SOC 1 Report

A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance (and soon to be SSAE 18).

Please see the following articles discussing the SSAE 16 guidance and additional information related to the SOC 1 (Type I and Type II) Reports:

In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance and will be discussed in further detail in the future.

Please see the SOC 1 Reporting Guide page for additional information.

SSAE 16 Terminology – Controls at a Service Organization

Controls at a Service Organization refer to the controls that are in place at your company.

Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control.

Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed.

Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly.

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

SSAE 18 / SOC 1 Type 1 Report – Background Information

A SSAE 18 / SOC 1 Type I Report shows Company’s that your Organization has appropriate controls designed and in place as of the date the report is issued. It does not provide assurance that controls are executed consistently, which, is the purpose of the Type 2 report and what most Company’s are hoping to see when asking for evidence of a SOC report.

So, while, the Type II is preferred, the Type I report is an important step in the right direction for an Organization who has never undergone an audit and looking to show they are serious about compliance.

A Type I Report is specifically defined by the SSAE 18 guidance as a “report on a description of a service organization’s system and the suitability of the design of controls”, essentially, a determination of if your company’s controls designed appropriately. When performing a Type I report, the auditors will test the design effectiveness of your Company’s controls by examining a sample of 1 item per control, review of policy, or through inquiry. This provides a user organization with some comfort that your company (the service organization) has controls in place (but not evidence of operating effectiveness). This can be useful when trying to obtain a contract to show good faith to potential user organizations or to maintain current contracts when Customers may have updated compliance requirements they must meet.

The SSAE 18 Type I report has 3 sections which include Management’s Assertion, the Auditor’s Opinion, and the System Description of the service offerings under review and corresponding control objectives and activities.