Q: What is SSAE 16?
A: Statements on Standards for Attestation Engagements (SSAE) No. 16, also known as Service Organization Control Reports (SOC), is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. This standard replaced SAS 70 for reports issued after June 15, 2011.
Q: Who can perform an SSAE 16/SOC 1 Audit?
A: An SSAE 16/SOC 1 audit can only be performed by an independent Certified Public Accounting (CPA) firm. In fact, in Colorado it is unlawful for a non-CPA firm to issue an attest report. See Colorado Revised Statue 12-2-120 Unlawful Acts (6)(II)(B). SSAE 16/SOC 1 and SOC 2 are both attest reports. The first offense for a non-CPA firm that issues an attest report is a misdemeanor and the second offense is considered a felony. CPA firms that perform SSAE 16/SOC 1 audits must adhere to specific professional standards established by the AICPA. They are required to follow specific guidance related to planning, execution, and supervision of the audit procedures and the reporting of the results of the audit.
Q: Why would my organization need an SSAE 16/SOC Audit?
A: Data is precious and service users often request proof that service providers have sufficient controls and safeguards in place where user data is transmitted, processed, and/or stored. SSAE 16/SOC 1 audit reports satisfy these requests and provide unbiased feedback of the service provider organization, which aids in meeting quality and process control initiatives. Additionally, the requirements of Section 404 of the Sarbanes-Oxley Act make SSAE 16/SOC 1 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.
Q: What is the difference between Type I and Type II reports?
A: A Type I report represents a service organization’s description of controls at a specific point in time. A Type II report includes the service organization’s description of controls and detailed testing of the service organization’s controls over a minimum six-month period.
Q: How quickly can a SSAE 16/SOC be completed?
A: Generally speaking, Type I audits can usually be completed quickly, giving the service organization a report they can provide to their clients within as little as a few weeks. With Type II reports, there must be at least six months of auditable activity available as well as additional time in the audit procedures to complete testing of those control activities. Once the testing has been completed, the final report is finished and issued to the service organization within a couple of weeks. For both types of reports, the preparedness of the service organization can significantly impact the length of time needed to complete the audit and report.