SSAE 16
Statement on Standards for Attestation Engagements (SSAE) 16 is an auditing standard for service organizations, superseding SAS 70. The latter's "service auditor’s examination" is replaced by a "Service Organization Controls" (SOC) report. SSAE 16 was issued in April 2010, and became effective in June 2011; many organizations which followed SAS 70 have now shifted to SSAE 16.
SSAE 16 is largely an American standard, but it mirrors ISAE 3402.[1] Similarly SSAE 16 has two different kinds of reports; a SOC 1 Type 1 report is an independent snapshot of the organization's control landscape on a given day, whilst a SOC 1 type 2 report also adds a historical element, showing that controls were managed over time (typically 6 months).
SSAE 16 reporting can help service organizations comply with Sarbanes Oxley's requirement (section 404) to show effective internal controls covering financial reporting.[2] However, it is not limited to financial reporting; it can also be applied to other sectors, and is useful for datacentres in particular.[3]
SSAE 16 provides guidance on an auditing method, rather than mandating a specific control set; in this respect it is similar to ISO 27001:2013.
References
- ↑ "SSAE 16 overview". Retrieved 11 May 2015.
- ↑ "SSAE 16 Overview". Frost. Retrieved 11 May 2015.
- ↑ "Why Data Centers Need SSAE 16". Data Center Knowledge. Retrieved 11 May 2015.