What is SSAE 16, and how is it keeping your Cloud service provider honest? Organizations interested in finding a better business IT services provider may have heard about the most recent standard of reporting for service organizations, known as SSAE 16 (also referred to as SOC 1). But what exactly is SSAE 16? Why is it important for companies that provide Cloud Computing services to be SSAE 16 compliant? And what does it all mean? As an innovative Cloud services provider, Cetrom adheres to the SSAE 16 standard in that our top-tier data centers are in compliance with this latest form of reporting. We have found that by following this improved reporting standard, our clients feel more secure in choosing us to do business with. Whether you are a service organization or a client in need of a service provider, knowing about SSAE 16 will help you make smarter business decisions. What is SSAE 16? SSAE 16 (SOC 1), or Statement of Standards for Attestation Engagements No. 16 (Service Organization Controls Report 1), is the latest “attest” standard for service organizations drawn up by the ASB (Auditing Standards Board) of the AICPA (American Institute of Certified Public Accountants). Effective since June of 2011, the new SSAE 16 standard replaced the former auditing standard SAS 70 and is now used to provide user auditors with detailed information about financial controls at a service organization. SSAE 16 is known as an attest standard rather than an audit standard because it requires a more comprehensive level of reporting: a description of the organization’s system. In previous audit reporting standards, service organizations were only required to provide a description of controls which is less expansive than a system description. Additionally, SSAE 16 also requires the service organization’s management submits a written statement of assertion to supplement the system description. Put into Layman’s terms, the requirements for SSAE 16 compliance include submitting thoroughly detailed and comprehensive financial reports. Achieving this particular compliance involves surrendering more sensitive financial information directly from the organization’s management while the previously accepted reporting standard (SAS 70) did not. What is the difference between SSAE 16 and SAS 70? Primarily, the main differences between SSAE 16 and SAS 70 concern the level of detail involved in financial reporting. However, another key difference is that SSAE 16 aims to adopt more globally accepted accounting principles like those set forth in the ISAE 3402 reporting standard, developed by the International Federation of Accountants (IFAC). For example, global efforts are being made to improve assurance reporting. By requiring both a system description and a written statement of assertion, SSAE 16 contributes to the global ideal that reporting should reassure consumers that compliant organizations are trustworthy and deserving of their business. SSAE 16, being consistent with its international equivalent ISAE 3402, has effectively replaced SAS 70. Who is required to comply with SSAE 16 standards? According to SSAE-16.com, “If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.” What does it mean to be “SSAE 16 certified?” The term “SSAE 16 certified” is not legitimate. By submitting the required reports that meet the SSAE 16 standard, a service organization can be considered SSAE 16 compliant, but there are too many differences in every company’s systems and processes to be standardized and labeled into a single certification. Why is it better to hire Cloud Computing services providers who are SSAE 16 compliant? Simply put, service organizations (such as business IT services providers or companies that provide Cloud Computing services) should be SSAE 16 compliant because this reporting standard promotes financial transparency. Providers with SSAE 16 compliance demonstrate they are financially responsible and equipped to best handle their clients’ data. According to SSAE 16 professionals, “Many companies will not even think about using (service organizations) to perform services for them without (SSAE 16 compliance). –– SSAE-16.com Where can I go to learn more about SSAE 16? • SSAE-16.com • The SSAE 16 Resource Guide can be found on the AICPA website