The AICPA’s Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization was issued in April 2010.  As of June 15, 2011, the SSAE 16 effectively replaces the long standing SAS 70 as the U.S. standard for reporting on a service organization’s internal controls. SSAE 16 is also referred to as Service Organization Control (SOC) Reporting 1.  The focus of SSAE 16 is on controls at a service organization likely to be relevant to user entities’ internal control over financial reporting.  The SAS 70 has been used as the de facto standard for the collections industry for close to 20 years now.  For service organizations that currently have a SAS 70 service examination (“SAS 70 audit”) performed, changes will be required to effectively report under the new SSAE 16 standard.


Companies associated with the collections industry be it agencies, attorneys or vendors to agencies (for example, companies that sell to or host collections software on behalf of agencies) have a direct or an indirect impact on their customers’ (creditors or asset buyers) financial statements.  Creditors or asset buyers who outsource the collections process to a third-party agency, attorney or vendor to the agency require independent assurance that the agency, attorney or vendor to the agency has adequate controls in place so as not have an adverse impact over the controls related to and the accuracy of its financial statement.  The SSAE 16 report is the perfect vehicle for creditors and asset buyers to obtain that level of assurance and for agencies, attorneys and vendors to agencies to provide that assurance to them.


Globalization of business process outsourcing drove the need for a common global standard.  SSAE 16 was issued to align with International Standards on Attestation Engagements (ISAE) 3402.  There was also the need for increased emphasis on the service organization rather than the auditor.  SAS 70 was more focused on the auditor rather than on the service organization.  Companies reporting under SAS 70 had several misunderstandings in that SAS 70 was thought to be the implementation of best practices and that it was a certification.  SSAE 16 clarifies these misunderstandings.


SSAE 16 will continue to enable a service auditor to perform two types of engagements:

  1. A Type 1 engagement in which the service auditor reports on the fairness of the   presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  2. A type 2 engagement in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.


The following are some of the notable changes introduced by SSAE 16:

  1. A written assertion by management is required and must include the suitable criteria used for its assessment.
  2. The Audit report must include a written assertion by the subservice organization if the inclusive method is used.
  3. While the SAS 70s required only a description of controls, SSAE 16 requires a description of systems / processes.
  4. Management of the service organization must identify risks that threaten the achievement of the control objectives.


Service organizations such as collection agencies, software vendors who sell software to the collections industry, and attorneys that specialize in the collections industry can all receive significant value from having a SSAE 16 examination performed.  An SSAE 16 report with an unqualified opinion that is issued by an independent CPA firm differentiates the service organization from its peers by demonstrating that it achieved a defined set of control objectives relevant to its specific industry and that its controls are effectively designed and in the case of a Type 2 report that the controls are operating effectively over a period of time.  An SSAE 16 report will not only help a service organization build trust with its existing customers but also position itself in the market place to attract new clients.  A clean SSAE 16 report can put small to mid-sized service organizations on a level playing field with some of their larger competitors.  Most Requests for Proposals today almost inherently have the requirement for the service organization to have been subject through an SSAE 16 examination.  In fact, by not having an SSAE 16 examination, you face the likelihood of being eliminated from an opportunity before even having the chance to bid.

The Sarbanes Oxley Act (“SOX”) requires that publicly traded companies that outsource a portion of their processes obtain an SSAE 16 report from their service organization.  The SSAE 16 report can effectively replace the need for the service organization to be subject to multiple audits from its customers and their respective auditors. Multiple visits from user auditors can place a huge burden on the service organization’s limited resources. An SSAE 16 report ensures that all customers of service organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor’s requirements.  The SSAE 16 may also help service organization recognize significant efficiencies in its business processes as well as improvement in its controls and control environment through value added recommendations from the service auditor.


The main benefit of an SSAE 16 report to customers of the service organizations is to be able to provide the report to their auditors who in turn can use the report in planning the audit of the financial statements and potentially could reduce a significant amount of testing that would otherwise have been necessary.  Without an SSAE 16 report, the customers of service organization would likely have to incur additional audit costs to enable their auditors to perform procedures at the service organization.  Customers of the service organizations that obtain an SSAE 16 report from their service organization(s) receive an independent and unbiased opinion from the service auditor about the service organization’s controls and the effectiveness of those controls.  The SSAE 16 report is a mechanism for customers of service organizations to demonstrate management of risks and exposures while outsourcing business services.  It helps ensure processing integrity and reliability of outsourced business transactions and services.


For service organizations that are currently subject to a SAS 70, the new standards provide an opportunity to challenge the value and re-visit the scope of your current reporting and compliance obligations.  Some of the areas you may want to consider are:

  • Re-visit comments that you may have received from your existing clients regarding your current report and any improvements that may be necessary.
  • Challenge the current scope to gain confidence that the report truly reflects the significant components of your business operations.
  • Is your organization subject to additional regulations that could potentially be addressed through the SSAE 16 report (e.g., Gramm–Leach–Bliley Act)?
  • Would this be a good time to add Trust Services reports (Webtrust, Systrust) or ISO 27001 / ISO 27002 / PCI DSS certifications to your service organization reporting process?

For customers of service organizations that currently receive a SAS 70 from their service organization, re-visit the scope of the current SAS 70 report provided by your service organization and ensure that it truly reflects their processing environment as it relates to your transactions.  Involve your financial statement auditors to make sure that the new SSAE 16 report will satisfy their requirements not only in terms of scope but also timing of when the report will be made available to you by your service organization.

For service organizations that do not have an independent examination of their controls performed, it is never too late to consider obtaining one and for customers of service organizations it is never too late to ask for one.



AICPA Resources

NOTE: This article can not be reproduced or revised without express written permission of Neil Gonsalves ([email protected])