107:) report. SSAE 16 was issued in April 2010, and became effective in June 2011. Many organizations that followed SAS 70 have now shifted to SSAE 16. Some service organizations use the SSAE 16 report status to show they are more capable, and also encourage their prospective end-users to make having an SSAE 16 a standard part of new vendor selection criteria.
22:
130:, also known as Sarbanes–Oxley or SOX. However, there are also a number of provisions of the Act (e.g. the willful destruction of evidence to impede a federal investigation) that apply to privately held companies. SSAE 16 reporting can help service organizations comply with
145:
audits and focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SSAE 16 provides guidance on an auditing method, rather than mandating a specific control set. In this respect, it is similar to
118:
Type 1 report is an independent snapshot of the organization's control landscape on a given day. A SOC 1 Type 2 report adds a historical element, showing how controls were managed over time. The SSAE 16 standard requires a
134:'s requirement (section 404) to show effective internal controls covering financial reporting. It can also be applied to data centers or any other service that might be used in the delivery of financial reporting.
40:
138:
79:
87:
162:
companies, the SOC 2 audit is purchased to provide an assurance on various aspects of the software including security, availability, and processing integrity.
295:
141:(AICPA) has issued an Interpretation under AT Section 101 permitting service auditors to issue reports. These reports will now be considered
75:
58:
340:
99:
325:
247:
205:
330:
120:
83:
131:
127:
159:
335:
179:
137:
For reports that are not specifically focused on internal controls over financial reporting, the
147:
273:
319:
91:
111:
226:
296:"Has Your SaaS Been SOC'd? Understanding The Value Of SOC 2 Reports"
97:
The "service auditor’s examination" of SAS 70 is replaced by a
72:
Statement on
Standards for Attestation Engagements no. 16 (SSAE 16)
114:. Similarly, SSAE 16 has two different kinds of reports. A
206:"System and Organization Controls (SOC): SOC Suite of Services"
180:"Clarified Statements on Standards for Attestation Engagements"
15:
128:
Public
Company Accounting Reform and Investor Protection Act
112:
International
Standard on Assurance Engagements (ISAE) 3402
36:
126:
Public companies in the United States fall under the
31:
may be too technical for most readers to understand
139:American Institute of Certified Public Accountants
80:American Institute of Certified Public Accountants
123:of the controls for a SOC 1 Type 2 report.
8:
90:no. 70 (SAS 70) and has been superseded by
78:for service organizations, produced by the
59:Learn how and when to remove this message
43:, without removing the technical details.
171:
41:make it understandable to non-experts
7:
248:"Why Data Centers Need SSAE 16"
186:. American Institute of CPAs (AICPA)
121:minimum of six months of operation
14:
100:System and Organization Controls
20:
88:Statement on Auditing Standards
1:
357:
110:SSAE 16 mirrors the
84:Auditing Standards Board
341:International standards
227:"SSAE 16 overview"
274:"SOC 2 Audit Overview"
252:Data Center Knowledge
254:. 27 September 2011
154:Technology services
86:, which supersedes
331:Auditing standards
326:Sarbanes–Oxley Act
76:auditing standard
69:
68:
61:
348:
310:
309:
307:
306:
294:Kellner, Brian.
291:
285:
284:
282:
280:
270:
264:
263:
261:
259:
244:
238:
237:
235:
233:
223:
217:
216:
214:
212:
202:
196:
195:
193:
191:
176:
64:
57:
53:
50:
44:
24:
23:
16:
356:
355:
351:
350:
349:
347:
346:
345:
316:
315:
314:
313:
304:
302:
293:
292:
288:
278:
276:
272:
271:
267:
257:
255:
246:
245:
241:
231:
229:
225:
224:
220:
210:
208:
204:
203:
199:
189:
187:
178:
177:
173:
168:
156:
65:
54:
48:
45:
37:help improve it
34:
25:
21:
12:
11:
5:
354:
352:
344:
343:
338:
333:
328:
318:
317:
312:
311:
286:
265:
239:
218:
197:
170:
169:
167:
164:
158:In technology
155:
152:
148:ISO 27001:2013
132:Sarbanes–Oxley
67:
66:
28:
26:
19:
13:
10:
9:
6:
4:
3:
2:
353:
342:
339:
337:
334:
332:
329:
327:
324:
323:
321:
301:
297:
290:
287:
275:
269:
266:
253:
249:
243:
240:
228:
222:
219:
207:
201:
198:
185:
181:
175:
172:
165:
163:
161:
153:
151:
149:
144:
140:
135:
133:
129:
124:
122:
117:
113:
108:
106:
102:
101:
95:
93:
89:
85:
81:
77:
73:
63:
60:
52:
42:
38:
32:
29:This article
27:
18:
17:
303:. Retrieved
299:
289:
277:. Retrieved
268:
256:. Retrieved
251:
242:
230:. Retrieved
221:
209:. Retrieved
200:
188:. Retrieved
183:
174:
157:
142:
136:
125:
115:
109:
104:
98:
96:
71:
70:
55:
49:October 2017
46:
30:
190:13 February
92:SSAE No. 18
320:Categories
305:2022-05-27
166:References
143:SOC 2
116:SOC 1
336:Standards
184:aicpa.org
82:(AICPA)
35:Please
300:Forbes
279:24 May
258:11 May
232:11 May
211:30 May
74:is an
281:2016
260:2015
234:2015
213:2017
192:2020
160:SaaS
105:SOC
39:to
322::
298:.
250:.
182:.
150:.
94:.
308:.
283:.
262:.
236:.
215:.
194:.
103:(
62:)
56:(
51:)
47:(
33:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.