Statement on Standards for Attestation Engagements (SSAE) 16
Service Organization Control (SOC) 1 Type II Report
SSAE 16 Definition: Statement on Standards for Attestation Engagements (SSAE) No. 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) that addresses engagements undertaken by a service auditor for reporting on controls of organizations (i.e., service organizations) that provide services to user entities, for which a service organization's controls are likely to be relevant to the user entities’ internal controls over financial reporting (ICFR).
SSAE 16 effectively replaces Statement on Auditing Standards No. 70 (SAS 70) for service auditor's reporting periods ending on or after June 15, 2011. Two (2) types of SSAE 16 reports are to be issued, a Type 1 and a Type 2. Additionally, SSAE 16 requires that the service organization provide a description of its "system" along with a written assertion by management.
Additionally, SSAE 16, along with AT Section 101 (“Attestation Standards”), form the underlying platform and professional standards upon which the new AICPA Service Organization Control (“SOC”) reporting framework is founded, which consists of SOC 1, SOC 2, and SOC 3 reports.
You can learn more about the AICPA (“SOC”) framework by visiting their website along with the helpful SOC 1, SOC 2, and SOC 3 white papers and articles found at the SSAE 16 Resource Guide.
Overview of Testing of Controls:
- Employment Practices
- Plan Implementation
- Benefits Administration and Enrollment Services
- Premium Processing
- Retirement Contribution Processing
- Claims Processing
- Application System and Infrastructure Development & Maintenance
- Physical Access and Environmental Controls