Certified SSAE 16 Type IIIn April 2010 the AICPA’s Auditing Standards Board (ASB) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. The SSAEs are also known as the attestation standards; in an attestation report a CPA attests to subject matter or an assertion about something other than the fairness of the presentation of financial statements.
SSAE 16 is applicable when an entity outsources a business task or function to another entity (usually one that specializes in that task or function) and the data resulting from that task or function is incorporated in the outsourcer’s financial statements. In SSAE 16 an entity that performs a specialized task or function for other entities is known as a service organization and an entity that outsources the task or function to a service organization is known as a user entity.

One example of a service organization is an entity that processes medical claims for health insurance companies. Participants in health insurance plans submit their claims to the claims processor, which processes the claims for the health insurers based on rules established by the insurers, for example, rules related to eligibility and the amount to be paid for each service. The claims processor provides the health insurers with claims data, such as the total cost of claims paid during a period. The insurers use that data to record their claims expense and the related liability. That information flows through to the insurers’ financial statements. Even though that information is generated by the claims processor, management of the health insurers is still responsible for the accuracy of that information because it is included in their financial statements. The auditor of a user entity’s financial statements (user auditor) has the same responsibility for auditing that information as he or she has for auditing other financial statement information.

One way a user auditor may obtain evidence about the quality and accuracy of the data provided to a user entity by a service organization is to obtain a CPA’s report (a service auditor’s report) on controls at the service organization that affect data provided to the user entities and incorporated in the user entities’ financial statements. The rationale for this approach is that controls are designed to prevent, or detect and correct, errors or misstatements. If controls at a service organization are operating effectively, errors in data provided to the user entities will be prevented, or detected and corrected, and misstatements in the user entities’ financial statements will be avoided.

Prior to the issuance of SSAE 16, the guidance for service auditors reporting on controls at a service organization and for user auditors auditing the financial statements of a user entity was contained in a section of Statements on Auditing Standards (SAS) entitled “Service Organizations.” That guidance originated in a SAS issued in April 1992 that was numbered 70. Since then, reports on controls at a service organization have colloquially been called “SAS 70 reports.” The codification of the SASs is divided into sections and the section of the SASs in which SAS 70 was inserted is AU section 324, so sometimes the terms SAS 70 and AU section 324 are used interchangeably. SSAE 16 will be located in section 801 of the attestation standards (AT sec. 801).

SSAE 16 (and also SAS 70) enables CPAs to provide two types of service auditor’s reports. In both reports the service organization must prepare a description of its system that includes, among other things, the nature of the service provided, how the service is performed, and the service organization’s controls over the service and related control objectives. A service auditor may provide two types of reports. In a type 1 report, the service auditor expresses an opinion on whether the description is fairly presented (does it describe what actually exists?) and whether the controls included in the description are suitability designed. Controls that are suitably designed are able to achieve the related control objectives if they operate effectively. In a type 2 report, the service auditor’s report contains the same opinions that are included in a type 1 report but also includes an opinion on whether the controls were operating effectively. Controls that operate effectively do achieve the control objectives they were intended to achieve. Both types of reports are examination reports which means the CPA obtains a high level of assurance.


An enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70.

Who needs SSAE 16?

If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report.