Regulatory Compliance, Governance and Security


March 10, 2011  3:00 PM

SOC 3 SysTrust and WebTrust Services | What you Need to Know

Charles Denyer Charles Denyer Profile: Charles Denyer

Heard about SOC 3 and SysTrust | WebTrust, commonly known as the “Trust Services”? If not, you are about to start seeing SOC 3 reports surface, due in large part to the American Institute of Certified Public Accountants (AICPA) extensive efforts in reshaping service organization reporting. In short, the SAS 70 auditing standard is being replaced by SSAE 16, a new attestation standard, which is part of the new AICPA Service Organization Control (SOC) reporting framework, of which SSAE 16 falls under SOC 1 reporting.

So, back to SOC 3, which is an attempt by the AICPA to have service organizations that are involved in e-commerce, e-business, and other supporting I.T. activities utilize this (SOC 3) reporting platform (or quite possibly SOC 2, which I’ll speak about in another post) as evidence of an organization’s commitment to having in place a secure system, which would be validated against the main principles and criteria of SysTrust and WebTrust, which are that of Security, Availability, Processing Integrity, Confidentiality, and Privacy.

It will be interesting to see how the entire SOC framework plays out and what reporting options will be utilized. For simplicity, here is how the Service Organization Control (SOC) reporting framework is broken down:

SOC 1-Will use SSAE 16 as the professional Standard
SOC 2-Will use AT Section 101 as the professional Standard
SOC 3-Will rely on the SysTrust and WebTrust Principles and Criteria (Trust Services)

January 9, 2011  6:59 PM

SSAE 16 vs. SAS 70 | Here’s What You Need to Know

Charles Denyer Charles Denyer Profile: Charles Denyer

SSAE 16 vs. SAS 70 seems to be a hot phrase as of late and for good reason. After approximately 19 years of faithful service of reporting on controls at service organizations, the SAS 70 auditing standard is being effectively replaced by SSAE 16. There’s much to learn about SSAE 16 when you compare it to the prior SAS 70 standard.

Here are some of the hot-button issues you should be vitally aware of:

1. SSAE 16 requires a Written Assertion by Management; an assertion whereby management of the service organization effectively asserts to a number of clauses.
2. SSAE 16 requires management of the service organization to provide a description of its “system”, which is different from SAS 70, which only called for a description of “controls”.
3. SSAE 16 also brings into play a number of different elements, such as “monitoring”, the “identification of risk” along with the notion of “suitable criteria”.
4. Also, SSAE 16 is now part of a much broader initiative by the American Institute of Certified Public Accountants (AICPA) known as Service Organization Control (SOC) reports, for which SSAE 16 falls under the SOC 1 framework.

In short, there’s much to learn about SSAE 16, and most service organizations would highly benefit from an SSAE 16 Readiness Assessment by a competent, well-qualified CPA firm. Additionally, add to the mix of the new SOC reporting framework, specifically that of SOC 2 and AT Section 101, and things can get quite complex indeed.


November 17, 2010  5:22 PM

SSAE 16 | Description of the “System” | What you Need to Know

Charles Denyer Charles Denyer Profile: Charles Denyer

Enter SSAE 16 and it’s new requirement for service organizations to provide a description of its “system”. As for out with the old and in with the new, Statement on Auditing Standards No. 70, simply known as SAS 70 to all of us, required “only” a description of “controls”. I stress “only” because it has gradually being acknowledged by most professional auditors that the new SSAE 16 requirement of a description of one’s “system” is looked upon as more detailed, comprehensive, and far-reaching than that of the SAS 70 audit’s description of “controls”.

In fact, literature released by the AICPA in 2010 regarding the new SSAE 16 standard clearly illustrates and gives examples of what is considered subject matter for a description of a service organization’s “system”.

Service organizations are going to have to re-visit their previous SAS 70 description of “controls” narrative, and possibly make significant changes to meet the true intent, rigor and spirit of the new SSAE 16 reporting requirements.

My advice? Work with your auditor for ensuring your description of the “system” meets the requirements set by SSAE 16.


November 16, 2010  8:43 PM

SSAE 16 Management Assertion | What you Need to Know

Charles Denyer Charles Denyer Profile: Charles Denyer

SSAE 16, put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), requires that the service organization provide a written assertion (i.e., “management assertion, “written statement of assertion”) to the service auditor. This statement effectively asserts to the following clauses for purposes of SSAE 16 reporting:

Management’s description of the service organization’s “system” fairly presents the service organization’s system that was designed and implemented at either a specific date (Type 1 report) or implemented throughout a specified time period (Type 2 report).

The control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives at either a specific date (16 Type 1 report) or designed throughout a specified time period (Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period.

The criteria used to effectively making these assertions (i.e., risk factors relating to controls and control objectives) and (for a SSAE 16 Type 2) that the controls were consistently applied.

To learn more about SSAE 16, visit the SSAE 16 Resource Guide.


September 29, 2010  8:54 PM

ISAE 3402 and SSAE 16 | Say Goodbye to the SAS 70 Auditing Standard

Charles Denyer Charles Denyer Profile: Charles Denyer

ISAE 3402, The International Standard on Assurance Engagements,“Assurance Reports on Controls at a Service Organization” and SSAE 16, Statement on Standards for Attestation Engagements No. 16, are effectively replacing the U.S. Statement on Auditing Standards No. 70, known as SAS 70.

SAS 70, which has been with us since April of 1992, slowly grew into an internationally recognized auditing standard that was used by service auditors performing engagements on service organizations for purposes of reporting on controls placed in operation and (in the case of a SAS 70 Type II) their operating effectiveness.

What’s interesting to note about SSAE 16 and ISAE 3402 is that they both require a description of the service organization’s “system” along with a written assertion by management. SAS 70 required merely a description of “controls” and did not require a written assertion by management. These are two (2) fundamental components of SSAE 16 and ISAE 3402 that all service organizations should be aware of.

Some service organizations will find that substantial work will have to be undertaken for ensuring their prior SAS 70 description of “controls” meets the intent and rigor of the SSAE 16 and ISAE 3402 description of its “system”. Lastly it is important to note that SSAE 16 is now an “attest” standard, while ISAE 3402 is an “assurance” standard.


July 22, 2010  9:25 PM

SSAE 16 Readiness Assessments | The Transition from SAS 70 Begins

Charles Denyer Charles Denyer Profile: Charles Denyer

SSAE 16 Readiness Assessments will without question become a hot “to do” list for many service organizations who are effectively transitioning from SAS 70 to the new SSAE 16 standard. Some organizations will find the transition to be relatively smooth, while others will find significant work will need to be done for meeting the requirements of SSAE 16.

Much like SAS 70 Readiness Assessments, an SSAE 16 Readiness Assessment should be looked upon as a useful and proactive step in meeting compliance. There are without question a number of items that an SSAE 16 Readiness Assessment can assist with, such as audit scope, how to prepare one’s description of its “system” along with preparing a written assertion by management.

Additionally, an SSAE 16 Readiness Assessment can help unearth what role, if any, the internal audit function would play in a SSAE 16 Type 1 or Type 2 engagement.

In short, they are important and should be considered a “must do” for any service organization seeking to comply the new standard. Hello SSAE 16 ( and ISAE 3402)….goodbye SAS 70.


July 21, 2010  11:53 AM

SSAE 16 | Preparing your Organization for the New Changes

Charles Denyer Charles Denyer Profile: Charles Denyer

SSAE 16, put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), will force a large number of service organizations to fundamentally re-address many of the compliance issues that they faced with the SAS 70 auditing standard. SAS 70, which is effectively being replaced by SSAE 16 in 2011, will be put to rest, giving rise to Statement on Standards for Attestation Engagements No. 16.

It is worth noting that two of the most important components of the new SSAE 16 standard in regards to service organization requirements are the following:

1. Management must provide a description of its “system”.
2. Management must provide a written assertion-simply known as the written assertion by management.

What’s interesting to note is that the SAS 70 auditing standard called for only a description of “controls”, and did not even require a written assertion by management. These two issues alone (along with others) will require service organizations to spend considerable time and effort in preparing for these reporting requirements for SSAE 16. Be ready, the migration from SAS 70 to SSAE 16 (and possibly ISAE 3402) is fast underway.


July 14, 2010  6:35 PM

SSAE 16 | Statement on Standards for Attestation Engagements No. 16

Charles Denyer Charles Denyer Profile: Charles Denyer

SSAE 16, the new attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), will effectively replace Statement on Auditing Standards No. 70 (SAS 70) as the primary standard used for reporting on service organizations. SSAE 16 also has an international equivalent, known as ISAE 3402. In short, both SSAE 16 and ISAE 3402 represent a convergence and adoption of more universally accepted standards for reporting on controls at service organizations. SAS 70, introduced in April of 1992, has had a long, storied, and successful career, to say the least, but change is inevitable.

What’s important to note about SSAE 16, other than the changes it represents from SAS 70, is its willingness (within the ASB of the AICPA) to adopt global standards for reporting on service organizations-a trend that is being played out in many other areas within the accounting industry.

It will be interesting to see how the landscape plays out for SSAE 16 and ISAE 3402 along with the continued reporting on controls at service organizations.


May 17, 2010  11:24 AM

ISAE 3402 | A New Standard Has Arrived for Reporting on Service Organizations

Charles Denyer Charles Denyer Profile: Charles Denyer

ISAE 3402, put forth by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC), will play a large and ever-expanding role for reporting on controls at service organizations. The ISAE 3402 standard requires two (2) important components that will fundamentally change reporting for service organizations: 1. Management must provide a written assertion and 2. management must provide a description of the service organization’s “system”.

There are also a number of other roles, responsibilities, and requirements which management must undertake, but what’s important to note at this point is why the new auditing standard came to be, effectively creating a need for the U.S. standard (SAS 70) to be replaced, which is being done with SSAE 16.

ISAE 3402 represents a migration towards global accounting principles and standards; one that creates transparency and much more clarity when reporting on controls at service organizations. SAS 70, the standard used globally by many practitioners, had been showing its limitations for a number of years, due in large part that it was a U.S. based standard and was not always meeting the ever-growing and complex reporting requirements for service organizations.

ISAE 3402 (and the U.S. Standard of SSAE 16) are soon on their way to becoming the “standard” for reporting on controls at service organizations. Early adoption of the two standards is permitted, but it seems likely most service organizations will wait until 2011. Be prepared and get the facts about the ISAE 3402 standard.


May 16, 2010  1:56 PM

ISAE 3402 | The New Global Standard for Assurance Reporting on Service Organizations has Arrived!

Charles Denyer Charles Denyer Profile: Charles Denyer

ISAE 3402: The International Standard on Assurance Engagements, “Assurance Reports on Controls at a Service Organization”, is the new global standard for assurance reporting on service organizations. What’s interesting to note about ISAE 3402 is that there are two (2) critical components that service organizations will now have to adhere to: (1). The service organization must produce a description of it’s “system”. (2). The service organization must also provide a written statement of assertion. This differs from the popular SAS 70 auditing standard where no written statement of assertion was required and a description of “controls” was only required, not a description of the “system”.

In short, expect ISAE 3402 to bring about significant changes for reporting on service organizations-due in large part to the two (2) requirements put forth by the ISAE 3402 standard itself that differ from SAS 70.

Also, SAS 70 is effectively being replaced and superseded by Statement on Standards for Attestation Engagements No. 16 (SSAE 16), with it becoming effective for reporting periods ending on or after June 15, 2011.

SSAE 16 and ISAE 3402 are essentially similar standards, with some slight technical variations. They are the convergence of auditing standards that have resulted in a more unified and transparent framework for reporting on controls at service organizations.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: