SSAE 16

Statement on Standards for Attestation Engagements (SSAE) 16 is an auditing standard for service organizations, superseding SAS 70. The latter's "service auditor’s examination" is replaced by a "Service Organization Controls" (SOC) report. SSAE 16 was issued in April 2010, and became effective in June 2011; many organizations which followed SAS 70 have now shifted to SSAE 16.

SSAE 16 is largely an American standard, but it mirrors ISAE 3402.[1] Similarly SSAE 16 has two different kinds of reports; a SOC 1 Type 1 report is an independent snapshot of the organization's control landscape on a given day, whilst a SOC 1 type 2 report also adds a historical element, showing that controls were managed over time (typically 6 months).

SSAE 16 reporting can help service organizations comply with Sarbanes Oxley's requirement (section 404) to show effective internal controls covering financial reporting.[2] However, it is not limited to financial reporting; it can also be applied to other sectors, and is useful for datacentres in particular.[3]

SSAE 16 provides guidance on an auditing method, rather than mandating a specific control set; in this respect it is similar to ISO 27001:2013.

References

  1. "SSAE 16 overview". Retrieved 11 May 2015.
  2. "SSAE 16 Overview". Frost. Retrieved 11 May 2015.
  3. "Why Data Centers Need SSAE 16". Data Center Knowledge. Retrieved 11 May 2015.
This article is issued from Wikipedia - version of the Tuesday, April 12, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.