SSAE 16 vs. SAS 70 seems to be a hot phrase as of late and for good reason. After approximately 19 years of faithful service of reporting on controls at service organizations, the SAS 70 auditing standard is being effectively replaced by SSAE 16. There’s much to learn about SSAE 16 when you compare it to the prior SAS 70 standard.
Here are some of the hot-button issues you should be vitally aware of:
1. SSAE 16 requires a Written Assertion by Management; an assertion whereby management of the service organization effectively asserts to a number of clauses.
2. SSAE 16 requires management of the service organization to provide a description of its “system”, which is different from SAS 70, which only called for a description of “controls”.
3. SSAE 16 also brings into play a number of different elements, such as “monitoring”, the “identification of risk” along with the notion of “suitable criteria”.
4. Also, SSAE 16 is now part of a much broader initiative by the American Institute of Certified Public Accountants (AICPA) known as Service Organization Control (SOC) reports, for which SSAE 16 falls under the SOC 1 framework.
In short, there’s much to learn about SSAE 16, and most service organizations would highly benefit from an SSAE 16 Readiness Assessment by a competent, well-qualified CPA firm. Additionally, add to the mix of the new SOC reporting framework, specifically that of SOC 2 and AT Section 101, and things can get quite complex indeed.