SSAE 16 Professionals, LLP Explains How a SSAE 16 (SOC 1) or SOC 2 Report Can Grow Your Business

Share Article

In an increasingly competitive market environment, small business owners and executives wonder whether a SSAE 16 or SOC 2 report is necessary. SSAE 16 Professionals is here to help answer the questions to determine if a SSAE 16 report is worth the time and money.

SSAE 16 Professionals - Delivering SSAE 16 Type I and SSAE 16 Type II Reports

SSAE 16 Professionals

Most business executives prefer a collaborative partner when seeking professional services. SSAE 16 Professionals offers the ultimate value proposition: competitive fees coupled with unparalleled client service.

SSAE 16 Professionals is a leading provider that specializes solely in SSAE 16 readiness reviews, SSAE 16 Type I Reports, SSAE 16 Type II Reports, and SOC 2 Reports. Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. SSAE 16 was formally issued in April 2010 with an effective date of June 15, 2011, and effectively replaces SAS 70 as the standard for reporting on service organizations.

Companies may be wondering what the differences are between SAS 70 and SSAE 16. Below are several key differences between SAS 70 and SSAE 16 reports:

  • Attestation Standard versus Auditing Standard – SSAE 16 reports will follow attestation standards and framework.
  • Management Assertion – service auditor must obtain management’s assertion which must contain the suitable criteria that management used to determine the controls have been applied as designed. Management’s written assertion must accompany the service auditor’s report.
  • Use of Suitable Criteria – management must use suitable criteria to base its written assertion. Suitable criteria can include evidence around the system design and implementation, automated or manual processes, types of transactions processed, as well as other COSO components.
  • Use of Internal Audit – any work performed by internal audit must be discussed, including the type of work performed and the procedures used to perform the work.
  • Risk Assessment – management must formally identify risks that threaten the achievement of the control objectives.

SSAE 16 Reports:

  • are designed to help user (customer) auditor assess control risk, plan the audit and design procedures in conjunction with their financial statement audits
  • provide user auditors a common vehicle to gain an understanding of your control environment without performing independent procedures at your organization
  • are primarily a report from a “service auditor” to a “user auditor” on management’s description of relevant internal control structure elements

“Most business executives prefer a collaborative partner when seeking professional services,” says Jim Jimenez, Partner at SSAE 16 Professionals. “SSAE 16 Professionals offers the ultimate value proposition: competitive fees coupled with unparalleled client service and expertise”.

SSAE 16 Readiness Reviews
SSAE 16 Readiness Reviews are consulting engagements that are designed to assist service organizations in assessing their preparedness for a SSAE 16 audit. SSAE 16 Professionals works collaboratively with management teams to perform a detailed readiness review and provide a gap matrix that identifies controls that would pass right away, controls that would partially fail, and controls that would fail and require remediation (in priority order with recommendations for remediation). Some firms go right into the SSAE 16 and realize there are issues which result in a qualified opinion. By that time, the service organization has spent a lot of time and money only to get a qualified report (which is useless to both the service organizations and its clients).

SSAE 16 Type I and Type II Reports
In addition to Readiness Reviews, SSAE 16 Professionals completes both Type I and Type II SSAE 16 Reports.

  • SSAE 16 Type I Reports - A report on policies and procedures placed in operation as of a specified point in time. SSAE 16 Type I Reports evaluate the design effectiveness of a service provider’s controls and then confirms that these controls have been placed in operation as of a specific date.
  • SSAE 16 Type II Reports - A report on policies and procedures placed in operation and tests of operating effectiveness for a period of time. SSAE 16 Type II Reports include the examination and confirmation steps involved in a Type I examination plus include an evaluation of the effectiveness of the controls for a period of at least six calendar months. Most user organizations require their service provider to undergo the Type II level examination for the greater level of assurance it provides.
  • SSAE 16 Reports are beneficial because:
  • Financial Audit Requirement by SEC - Auditors of your Clients will increase their scrutiny of the “system of internal control” during their audits of the financial statements (Sarbanes-Oxley) - which will result in more requests for your SSAE 16 report.
  • Marketing and Competitive Advantage - SSAE 16 can be a key differentiator to prospective clients.
  • One Time Audit - Avoids user auditors (auditors of your clients) continuously contacting service organization personnel for separate audits throughout the year. Rather, service organization clients request and rely on the SSAE 16 report.

About SSAE 16 Professionals
SSAE 16 Professionals is one of the nation’s leading firms specializing solely in SSAE 16 audits and readiness assessments. Each of our professionals has over 10 years of relevant experience at “Big 4” and other large international or regional accounting firms. Each professional is certified as a CPA (Certified Public Accountant), CISA (Certified Information Systems Auditor), CIA (Certified Internal Auditor), CISSP (Certified Information Systems Security Professional), and/or MBA (Master of Business Administration). For more information, please visit


Share article on social media or email:

View article via:

Pdf Print

Contact Author

Jim Jimenez - Managing Partner
Visit website