We've merged with Sikich to better serve our clients. See what the future holds.

Independent advice, yet collaborative work.

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) was issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). SSAE 16 is documented in the AICPA Professional Standards as the Reporting on Controls at a Service Organization (AT § 801).

The Statement on Auditing Standards No. 70 (SAS 70), Service Organizations (AU § 324), was often misused to report compliance and operational controls. SSAE 16 replaces guidance for service auditors reporting on a service organization's controls relevant to user entities' internal control over financial reporting (ICFR) in SAS 70 as an effort to correct the misuse.

Audit Types

Audits are classified as either a Type 1 or Type 2 audit.

Type 1

A Type 1 audit reviews your systems to evaluate if the description of your controls fairly presents what was in place and the design of your controls is suitable to meet the objectives of your security controls as of a specified date.

Type 2

A Type 2 audit reviews your systems to evaluate if the description of your controls fairly presents what was in place and the design as well as the operating effectiveness of your controls suitably met the objectives of your security controls throughout a specified time period (typically six months).

Who Needs It

If your organization provides outsourced services that touch or have a bearing on another organization's data, you need to properly handle and protect that data. Customers choose to do business with organizations based upon whether or not they have undergone a thorough independent audit to demonstrate security controls.

At its core, an SSAE 16 audit is a means through which your organization can demonstrate the levels you go to protect the sensitive data of your customers. As prescribed by AT § 801:

.06 The objectives of the service auditor are to:
  1. obtain reasonable assurance about whether, in all material respects, based on suitable criteria,
    1. management's description of the service organization's system fairly presents the system that was designed and implemented throughout the specified period (or in the case of a type 1 report, as of a specified date).
    2. the controls related to the control objectives stated in management's description of the service organization's system were suitably designed throughout the specified period (or in the case of a type 1 report, as of a specified date).
    3. when included in the scope of the engagement, the controls operated effectively to provide reasonable assurance that the control objectives stated in management's description of the service organization's system were achieved throughout the specified period.
  2. report on the matters in 6(a) in accordance with the service auditor's findings.

Service organizations that typically have SSAE 16 audits performed include:

  • Datacenters
  • Credit card processors
  • Web hosting providers
  • Managed services providers
  • Hosted software (SaaS) providers
  • Any organization that potentially impacts the financial statements of another company

What We Do

An SSAE 16 audit takes place as a Service Organization Control 1 (SOC 1) examination. The audit reviews your transaction processing and data security controls that are likely to be relevant to your customers.

We provide a collaborative SSAE 16 audit and have streamlined the audit process to create efficiencies in both effort and cost. Based on our methodology, we can work with you to perform much of the audit remotely, reducing the amount of time required onsite to only a day or two. This allows your staff to stay focused on their work responsibilities while our team efficiently conducts the audit in a cost-effective manner.

At the conclusion of the audit, your SOC 1 report and opinion letter document the results as a formal attestation that you are maintaining security controls over your systems and that they are appropriate, accurate and reliable.

Independent Expertise

If you are currently working with an existing CPA firm to provide your SSAE 16 audit and are looking for the experience of a dedicated security company, 403 Labs also offers independent:

  • Readiness assessments and pre-audit assistance to help you prepare for and determine if you are capable of undergoing a successful SSAE 16 audit.
  • Identification and documentation of your security controls, which is a required precursor to an SSAE 16 audit, used as the basis of your audit and contained in your final SOC 1 report.
  • Post-audit assessments to follow up and prepare responses on exceptions noted during an SSAE 16 audit and provide additional security controls that may be beneficial to your organization.
  • Review and analysis of your provider's SSAE 16 audit to further examine and explain the controls they have in place to safeguard your data (a required component of your auditing due diligence).

Get independent verification from expert professionals.

All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.