HIPAA and HITRUST are two frameworks that are commonly compared because they are used in the healthcare industry.
What is SSAE 16?
SSAE 16, otherwise known as Statement on Standards for Attestation Engagements No. 16, was an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It was issued in April 2010 and was specifically designed for service organizations that provide outsourced services. SSAE 16 was introduced to enhance the reporting and assurance standards for service organizations and their clients.
One of the main objectives of SSAE 16 was to replace the previous standard SAS 70 (Statement on Auditing Standards No. 70) and align it with the international standard ISAE 3402 (International Standard on Assurance Engagements No. 3402). This alignment was designed to provide consistency and compatibility in reporting for service organizations that operate on a global scale.
Introduction of a SOC Report
SSAE 16 introduced the concept of a Service Organization Control (SOC) report, which replaced the SAS 70 report. The SOC report is an independent auditor’s report that provides information about the design and effectiveness of a service organization’s controls. This report is issued by a service auditor, who evaluates and tests the controls of the service organization to provide assurance to the organization’s clients and stakeholders.
The SOC report can be of two types: Type 1 and Type 2. A Type 1 report provides an opinion on the design of the controls as of a specific point in time, while a Type 2 report provides an opinion on the design and the effectiveness of the controls over a period of time (usually 6 or more months). The choice between Type 1 and Type 2 depends on the clients needs and the level of assurance required.
Under a SSAE 16 audit, service organizations were required to provide a detailed description of their systems and controls in place. This description included the service organization’s objectives, the nature of the services provided, and the overall control environment. This enhanced description helped the clients of the service organization gain a better understanding of the services being provided and evaluate the suitability of those services for their own operations.
Another important aspect of SSAE 16 was the consideration of “Subservice Organizations.” Service organizations often rely on other organizations to perform certain functions on their behalf, and these organizations are referred to as subservice organizations. During a SSAE 16 audit, service organizations were required to evaluate and disclose the risks associated with subservice organizations. If the subservice organization’s controls were relevant to the services being provided, the service organization had to obtain a SOC report from the subservice organization or perform additional procedures to obtain sufficient assurance.
SSAE 16 also emphasized the importance of “Written Representations” from management. Service organizations were required to provide a written assertion to the service auditor, affirming the accuracy and completeness of the description of the system and controls. This written representation increased the accountability of the service organization and provided additional confidence to clients and stakeholders.
Overall, SSAE 16 was a significant improvement over its predecessor SAS 70, as it aligned with international standards, introduced the SOC reports, emphasized the detailed system description, considered subservice organizations, and required written representations from management. These enhancements increased transparency, provided assurance to clients, and improved the overall reliability and quality of the reporting process for service organizations. It is, however, important to note that SSAE 16 has since been replaced by SSAE 18 and there are differences between SSAE 16 vs SSAE 18.