What Is SSAE 16

Fact  is SSAE 16 seems to be the chatter of late for many CPA firms, service organizations, and other interested parties.  Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is the new "attest" standard put forth by the Auditing Standards  Board (ASB) of the American Institute of Certified Public Accountants (AICPA).  For reporting periods ending on or after June 15, 2011, SSAE 16 will become the new standard for reporting on controls at service organizations, essentially replacing Statement on Auditing Standards no. 70, simply known as SAS 70.

SSAE 16 represents an adoption towards more globally accepted accounting principles, which clearly can be seen when comparing the new U.S. standard from the AICPA to that of its international equivalent, ISAE 3402, put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC).  
SSAE 16 also brings about a number of requirements for which service organizations will need to be well aware, most importantly that management of the service organization must provide a description of its "system" along with a written statement of assertion.  Both of these requirements differ from the previous SAS 70 auditing standard in the following manner:

Key Differences between SAS 70 and SSAE 16 Auditing Stardard

•    The SAS 70 auditing standard only called for a description of "controls", while the SSAE 16 attest standard now requires a description of its "system", which is considered to be more comprehensive and expansive than that of the SAS 70 description    of "controls.
•    SSAE 16 requires a written statement of assertion, something that was not required under SAS 70 Type I or Type II audits.  This written statement of assertion must be crafted by management and contain a number of essential clauses for which management of the service organization will effectively "assert" to.  What's important to note is that the written statement of assertion can be included within or attached to the description of the "system".  A competent, well-qualified CPA firm can help assist you with this matter.

SSAE 16 differs from SAS 70 in a number of areas; the most fundamentally important aspect being that SSAE 16 is an “attestation” standard, while SAS 70 is an “auditing” standard.  The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) felt that examining a service organization’s “system” and their controls is not considered an audit of financial statements, thus it should not be categorized as that.

Additionally, the ISAE 3402 standard, put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC), is an “assurance” standard, which is essentially equivalent to the SSAE 16 “attestation” standard.

As for reporting requirements for service organizations, SSAE 16 requires a description of one’s “system” along with a written assertion by management, whereas SAS 70 requires a description of “controls” and no written assertion.  The key difference between the SSAE 16 description of its “system” and the SAS 70 auditing standard’s description of “controls” is that many organizations may find themselves having to revise their prior descriptions to meet the new requirements for SSAE 16 reporting.

Generally, most practitioners seem to agree that the SSAE 16 requirements for a description of its “system” are considered more comprehensive and expansive than the SAS 70 auditing standards description of “controls”.