Regulatory Compliance, Governance and Security

Nov 17 2010   5:22PM GMT

SSAE 16 | Description of the “System” | What you Need to Know



Enter SSAE 16 and it’s new requirement for service organizations to provide a description of its “system”. As for out with the old and in with the new, Statement on Auditing Standards No. 70, simply known as SAS 70 to all of us, required “only” a description of “controls”. I stress “only” because it has gradually being acknowledged by most professional auditors that the new SSAE 16 requirement of a description of one’s “system” is looked upon as more detailed, comprehensive, and far-reaching than that of the SAS 70 audit’s description of “controls”.

In fact, literature released by the AICPA in 2010 regarding the new SSAE 16 standard clearly illustrates and gives examples of what is considered subject matter for a description of a service organization’s “system”.

Service organizations are going to have to re-visit their previous SAS 70 description of “controls” narrative, and possibly make significant changes to meet the true intent, rigor and spirit of the new SSAE 16 reporting requirements.

My advice? Work with your auditor for ensuring your description of the “system” meets the requirements set by SSAE 16.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: