Statement on Standards for Attestation Engagements (SSAE) 16 is an auditing standard for service organizations, superseding SAS 70. The latter's "service auditor’s examination" is replaced by a "Service Organization Controls" (SOC) report. SSAE 16 was issued in April 2010, and became effective in June 2011; many organizations which followed SAS 70 have now shifted to SSAE 16. Some service organizations are becoming savvy to the ability to use the SSAE 16 report status to show they are more capable, also encouraging their prospective endusers to make having a SSAE 16 standard part of new vendor selection criteria. It is widely known that public companies fall under the Public Company Accounting Reform and Investor Protection Act” or SOX, however there are also a number of provisions of the Act that apply to privately held companies, for example the willful destruction of evidence to impede a Federal investigation.
SSAE 16 is largely an American standard, but it mirrors ISAE 3402. Similarly SSAE 16 has two different kinds of reports; a SOC 1 Type 1 report is an independent snapshot of the organization's control landscape on a given day, whilst a SOC 1 type 2 report also adds a historical element, showing that controls were managed over time (typically 12 months).
SSAE 16 reporting can help service organizations comply with Sarbanes Oxley's requirement (section 404) to show effective internal controls covering financial reporting. It can also be applied to data centres, or any other service that might be used in the delivery of financial reporting.
For reports that are not specifically focused on internal controls over financial reporting, the AICPA has issued an Interpretation under AT Section 101 permitting service auditors to issue reports. These reports will now be considered SOC 2 audits and focus on controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy.
SSAE 16 provides guidance on an auditing method, rather than mandating a specific control set; in this respect it is similar to ISO 27001:2013.