You may be familiar with SAS 70: an audit standard used for businesses that provide a service relating to their clients’ finances. If you feel like you just figured out SAS 70 audits, I’m sorry to say that from now on, you will be undergoing Statement on Standards for Attestation Engagements 16 (SSAE 16) assessments instead. The information required is not totally different from SAS 70, but it is a somewhat more in-depth process, and will take a bit more time to complete for some organizations.
Why Do I Need To Do an SSAE 16 Assessment?
You need to complete an SSAE 16 assessment for the same reasons that you needed a SAS 70 audit in the first place. You provide services to your customers (Software-as-a-Service or a “Cloud” offering) and some or all of your customers are publicly-traded companies registered with the Securities and Exchange Commission (SEC). If your company provides a service that impacts your clients’ finances, such as payroll processing, accounting, or benefits administration, you need an SSAE 16 assessment. Your publicly-traded customers will probably require a copy of your SSAE 16 assessment report. You don’t want to lose customers because you fail to provide this report.
How Does SSAE 16 Help You?
Not only will your SSAE 16 assessment fulfill the requirements of your publicly-traded clients, but it will kill many birds with one stone. Instead of being audited by multiple customers, the SSAE 16 is an assessment you complete only one time--providing the same assessment report to any publicly-traded customer’s auditor who requests it. That way, your customers can confidently use the report as part of their own audits of controls.
What are the Differences between SAS 70 and SSAE 16?
The main difference between SAS 70 and SSAE 16 is the depth of information you will now have to provide, including (among other things):
A management attestation
Verification that appropriate criteria are used for system evaluation
Evidence for every control during each assessment, rather than reusing prior evidence
The main reason SSAE 16 requires management attestation is because SSAE is an attest standard rather than an audit standard. Instead of only auditors giving their opinion of the controls in your company, management is included in the assessment. Management must describe your company’s service delivery system, controls and control objectives. The attestation holds management directly accountable.
Management must use suitable criteria from a widely-recognized (or otherwise acceptable) standard with a reasonable level of rigor when evaluating your company’s service delivery system. The standards are dependent upon the type of service you provide.
It may seem like a big pain, but SSAE 16 prohibits the use of prior evidence as opposed to SAS 70 allowing auditors to use evidence gathered in prior audits, which saved some companies a lot of time.
Ready to Take the Plunge?
This article is just a brief introduction to SAS 70 and SSAE 16. My wife, Amanda, is an expert on the subject and wrote a very informative article with all the data you would need to understand SAS 70 and SSAE 16. Her article provides in-depth information on how you can make the switch from SAS 70 to SSAE 16, as well as great tips on how to set up the process of completing a SSAE 16 report right the first time. As always, let me know what you think!
CURT FINCH has more than two decades of software development and distributed workforce management experience. In 1997, Curt created the world's first internet-based timesheet application and the foundation for the current Journyx product offering. Curt has a B.S. in Computer Science from Virginia Tech. His book, All Your Money, is available on Amazon. @curtfinch