SSAE 16, put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), requires that the service organization provide a written assertion (i.e., “management assertion, “written statement of assertion”) to the service auditor. This statement effectively asserts to the following clauses for purposes of SSAE 16 reporting:
Management’s description of the service organization’s “system” fairly presents the service organization’s system that was designed and implemented at either a specific date (Type 1 report) or implemented throughout a specified time period (Type 2 report).
The control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives at either a specific date (16 Type 1 report) or designed throughout a specified time period (Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period.
The criteria used to effectively making these assertions (i.e., risk factors relating to controls and control objectives) and (for a SSAE 16 Type 2) that the controls were consistently applied.
To learn more about SSAE 16, visit the SSAE 16 Resource Guide.