SSAE 16, put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), will force a large number of service organizations to fundamentally re-address many of the compliance issues that they faced with the SAS 70 auditing standard. SAS 70, which is effectively being replaced by SSAE 16 in 2011, will be put to rest, giving rise to Statement on Standards for Attestation Engagements No. 16.
It is worth noting that two of the most important components of the new SSAE 16 standard in regards to service organization requirements are the following:
1. Management must provide a description of its “system”.
2. Management must provide a written assertion-simply known as the written assertion by management.
What’s interesting to note is that the SAS 70 auditing standard called for only a description of “controls”, and did not even require a written assertion by management. These two issues alone (along with others) will require service organizations to spend considerable time and effort in preparing for these reporting requirements for SSAE 16. Be ready, the migration from SAS 70 to SSAE 16 (and possibly ISAE 3402) is fast underway.