June 18, 2018

SSAE 16 Certified? Compliant? No such thing!

Warning: Illegal string offset 'keywords_time' in /homepages/27/d172822364/htdocs/ssae/wp-content/plugins/internal-link-building/Internal_Link_Building.php on line 103

A popular misunderstanding about SSAE 16 is that a service organization can become “SSAE 16 certified” or “SSAE 16 compliant” after undergoing a type 1 or type 2 engagement. However, there is no such certification.

An SSAE 16 report is designed as an auditor-to-auditor communication, used to provide user auditors with detailed information about controls at a service organization that affect the information provided to user entities (you wouldn’t want your payroll provider losing your data!) . All service auditors’ reports include a detailed description of the service organization’s system, and a type 2 report includes a detailed description of tests of controls performed by the service auditor and their results. The user auditor reads this detailed information to determine how the service organization’s system generates information and the controls in place to protect the information. Additionally, the auditors review the report to understand how the service organization interacts with the user entity’s financial reporting system, including how the information gets incorporated into the user entity’s financial statements. Due to the differences in every company’s systems and processes, this is not something that can be standardized and boiled down to a certification!