This is a question we are asked frequently by our clients and prospective clients, and the answer is: It Depends.
The SSAE 16 guidance states that the period of review, or time frame that the report covers, should be at least six (6) months in the case of a Type 2 SSAE 16 examination. While this standard sets a minimum period of review, it can be set to cover any period of time over 6 months – i.e., six months, nine months or one year.
It is highly recommended that a report be issued at least annually, allowing the user entities and user auditors to assess the control risk for the financial statement assertions impacted by the services provided by your company.
SSAE 16 reports evaluate controls at a service organization relevant to user entities’ internal control over financial reporting and ultimately their financial statements. The report is intended to meet the needs of CPAs that audit the user entities’ financial statements (user auditors) in evaluating the effect of the controls at the service organization on the user entities’ financial statements.
Over 75% of our service organization clients have the examination conducted annually. This is due to the fact that the user entity and their auditors will need assurance that the service organization’s controls are operating effectively for the current fiscal year financial audit of the user organization.
Evaluating the Benefits:
A Type 2 SSAE 16 frequency is usually tied to the user entities’ financial statement audit, which is why it is typically performed annually. Without a Type 2 SSAE 16 a user entities’ financial audit fees may increase due to the additional work their auditors have to perform at the service organization. Additionally, having an annual Type 2 SSAE 16 frequently results in more efficient and price effective fees from the service auditor due to our familiarity with the environment.
In our experience, organizations that undergo an annual Type 2 SSAE 16 examination have less findings in their reports. This is due to the fact that they focus on internal controls more so than organizations that undergo an examination less frequently and may not be as focused on internal controls.