SSAE 16

SSAE 16 stands for “Statement on Standards for Attestation Engagements No. 16”, which was created by the American Institute of Certified Public Accountants (AICPA) and was effective June 15, 2011. A SSAE 16 is an examination which reports on the controls at a service organization. Its predecessor was the SAS 70 audit (Statement of Auditing Standards No. 70).

Understanding and applying SSAE 16 can be a daunting task to those involved in the process. You must carefully balance your clients’ needs for the review with its’ investment by your organization. Our SSAE 16 team includes Certified Information Systems Auditors, Certified Internal Auditors, and Certified Information Systems Security Professionals that will help you develop the reports and the reviews you need for SSAE 16.

Postlethwaite & Netterville provides multiple types of services: a Preliminary Readiness Review, a Type I and a Type II SSAE 16 Service Organization Controls (SOC) 1 Report, and SOC 2 and 3 Reports.  

The Preliminary Readiness Review offers an initial assessment of your control procedures and documentation.  It is useful for organizations which are considering SSAE 16 but are unsure of their level of preparedness.

In both Type I and Type II SSAE 16 Service Organization Controls (SOC) 1 Reports, an opinion is expressed by the P&N Accounting and Assurance Services Group. The Type I Report expresses an opinion on whether or not the description of controls fairly represent the relevant aspects and if they were designed to achieve the specified objectives. The Type II Report includes everything in Type I and tests whether or not the controls were operating with sufficient effectiveness.

The SOC 2 and SOC 3 reports are intended to provide assurance about controls related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality, or 5) privacy of a system and its information.  The SOC 2 and SOC 3 reports follow AT Section 101 for Attest Engagements.

All reporting options follow the American Institute of CPAs standards of quality control and engagement acceptance.

Our team can work with you to determine which level of service may be most appropriate for your needs.