SSAE 16 the New Standard

SSAE 16 is the new standard, has taken over from the SAS 70 that you were used to performing, but don't worry. they are pretty similar. The most significant difference is that management needs to put together an assessment of their controls, which the auditor then attests to. Placing more weight upon the service provider.

The following are the components of the write up management is now required to put together:
  •     The fairness of the presentation of the description of the service organization's system;
  •     The suitability of the design of the controls to achieve the related control objectives stated in the description; and
  •     The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)

 SSAE 16 is now effective and all reports issued must be performed under the SSAE 16 standard - taking into account all of the tweaks made since SAS 70.

There are now 3 different report types - the SOC 1, SOC 2, and SOC 3, which allows for a more structured reporting approach. SOC 1 is the former SAS 70 (also know as SSAE 16) and still meant for controls related to financial reporting only. SOC 2 and SOC 3 are the former Trust Service Principles (WebTrust/SysTrust) and are better suited for Data Centers and many SaaS solutions than an SOC 1.
If you need some more information about
SSAE 16 click to learn more!
ISAE 3402 is the new International Standard, if you would like to learn more, please click here: ISAE 3402