October 19, 2017

What is AT-101?


Warning: Illegal string offset 'keywords_time' in /homepages/27/d172822364/htdocs/ssae/wp-content/plugins/internal-link-building/Internal_Link_Building.php on line 103

AT-101 was developed to put requirements in place for CPAs examining and issuing reports on controls over subject matter other than financial reporting. These standards are codified within  AT section 101, Attest Engagements, of the attestation standards, not under SSAE16.

Some of the audits issued under AT101 gaining prominence in the market place include the SOC 2 and SOC 3 Reports and are based upon the trust service principles. AT 101 also permits companies to undergo a review of controls over just about any non-financial reporting related process that a third party may want assurance of , essentially serves as a catch all.

Lately, accounting firms have begun issuing combined SSAE 16 (SOC 1) and AT-101 reports.  The controls which impact financial reporting are covered within the SOC 1 and the others, typically IT related controls, are covered within the AT-101. While this may sound confusing or redundant at first, it allows for a better segregation and organization of controls from an auditing standpoint.

SSAE 16 Certified? Compliant? No such thing!


Warning: Illegal string offset 'keywords_time' in /homepages/27/d172822364/htdocs/ssae/wp-content/plugins/internal-link-building/Internal_Link_Building.php on line 103

A popular misunderstanding about SSAE 16 is that a service organization can become “SSAE 16 certified” or “SSAE 16 compliant” after undergoing a type 1 or type 2 engagement. However, there is no such certification.

An SSAE 16 report is designed as an auditor-to-auditor communication, used to provide user auditors with detailed information about controls at a service organization that affect the information provided to user entities (you wouldn’t want your payroll provider losing your data!) . All service auditors’ reports include a detailed description of the service organization’s system, and a type 2 report includes a detailed description of tests of controls performed by the service auditor and their results. The user auditor reads this detailed information to determine how the service organization’s system generates information and the controls in place to protect the information. Additionally, the auditors review the report to understand how the service organization interacts with the user entity’s financial reporting system, including how the information gets incorporated into the user entity’s financial statements. Due to the differences in every company’s systems and processes, this is not something that can be standardized and boiled down to a certification!

SSAE 16 – The SAS 70 Replacement


Warning: Illegal string offset 'keywords_time' in /homepages/27/d172822364/htdocs/ssae/wp-content/plugins/internal-link-building/Internal_Link_Building.php on line 103

SSAE 16 is the SAS 70 Replacement and adds a new requirement that the service auditor is required to obtain a written assertion from management of the service organization about the fairness of the presentation of the description of the service organization’s system and about the suitability of the design and, in a type 2 engagement, the operating effectiveness of the controls. That assertion typically is included within the service auditor’s report or within in the description of the service organization’s system. In addition to the required management assertion, there are other substantive changes introduced in the switch to SSAE 16, including:

  • The service auditor may not use evidence obtained in prior engagements about the satisfactory operation of controls in prior periods to provide a basis for a reduction in testing, even if it is supplemented with evidence obtained during the current period.The service auditor is required to identify in the description of tests of controls any tests of controls performed by internal auditors and the service auditor’s procedures with respect to that work.
  • In a type 2 engagement, the service auditor’s opinion on the description of the service organization’s system and on the suitability of the design of controls covers a period (the same period as the period covered by the service auditor’s tests of the operating effectiveness of controls). In SAS no. 70, the opinion on the description and on the suitability of the design of controls in a type 2 report is as of a specified date, rather than for a period.
  • The service auditor’s examination report must contain the report elements identified in paragraph .85 of AT section 101. (These report elements are tailored to a service auditor’s engagement in paragraphs 52 and 53 of SSAE no. 16.)

What is SSAE 16?


Warning: Illegal string offset 'keywords_time' in /homepages/27/d172822364/htdocs/ssae/wp-content/plugins/internal-link-building/Internal_Link_Building.php on line 103

SSAE 16 is an update to the previous standard, the SAS 70, and now requires the Service Organization’s Management to attest to the operating effectiveness of their Company’s controls in a newly added section to the report (“Management’s Assertion”).