The International Auditing and Assurance Standards Board (IAASB) recently issued the new International Standard on Assurance Engagements ISAE 3402, Assurance Reports on Controls at a Third Party Service Organization. As a result, the American Institute of Certified Public Accountants (AICPA) redrafted its Statement on Standards for Attestation Engagements (SSAE) No. 16, which addresses engagements undertaken by a service auditor for reporting on controls at organizations that provide services to user entities. The relevant controls are internal controls over financial reporting (ICFR).
SSAE16 effectively replaces Statement on Auditing Standards No. 70 (SSAE16) for service auditor's reporting periods ending on or after June 15, 2011. Two types of SSAE16 reports are issued, Type I and Type II.
These revisions of SSAE16 represent the first significant modifications to the standard since it was issued nearly two decades ago. SSAE16 is intended to help bring U.S. companies up to date with new international service organization reporting standards, ISAE 3402. This will simplify the process for auditing and reporting on international organizations.
The SSAE16 SOC-1 Type II audit minimizes the need for multiple sets of auditors to separately examine the same set of controls that govern a third party's services. These standards provide guidance to external auditors on Generally Accepted Auditing Standards (GAAS) in regards to auditing an entity and issuing a report. There are more than one hundred such standards in existence.
SOC-2 Type II reports are attestation reports that opine on controls at a service organization relevant to the security, availability, or processing integrity of a system or the confidentiality or privacy of the information processed for the user entities. SOC-2 reports are an alternative to SOC-1 examinations.