SSAE 16 Attestation Reports Can Set You Apart From the Competition
By Jamie Paddon, Head of Internal Audit, Risk & Compliance, Radius
Convincing a prospect that your business has sufficient quality controls to meet its expectations is a difficult task. Sure, you can provide the prospect with testimonials from your clients or various statistics to support your point, but nothing is more convincing than an independent report from a trusted third party.
There are many different types of third-party quality certifications that businesses can choose from depending on the industry and the products and/or services provided. For example, a medical-device manufacturer might hire a trusted firm to certify that its products meet related regulatory requirements in the US and other jurisdictions. Obtaining this kind of certification from an independent firm can go a long way towards reassuring prospects.
At Radius, we provide a wide array of services such as payroll, vendor payments, production of management accounts and tax filings. Our prospects and clients that outsource these critical financial services need to know that we have adequate controls in place to deliver them effectively. In order to demonstrate this, we provide SSAE 16 reports issued by a reputable, widely-recognized third party.
Given our experience in this important area of attestation, we’re publishing this blog post to provide an overview of the different types of SSAE 16 reports and why they’re an essential tool for service and software organizations like Radius, and for the clients and prospects that use them.
The Basics of SSAE 16
SSAE 16 stands for Statement on Standards for Attestation Engagements No. 16. As the American Institute of CPAs explains, SSAE 16 relates to examinations by auditors “to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting.”
In other words, SSAE 16 reports (or attestations) provide an independent assessment of a service provider’s internal controls related to financial reporting. The reports, moreover, can provide a strong measure of assurance to the provider’s customers that the customers’ own financial reporting will not be compromised by using that provider. In 2011, SSAE 16 replaced Statement on Auditing Standards No. 70, Service Organizations (SAS 70) as the accepted guidance for reporting on service providers.
SSAE 16 attestations are part of the Sarbanes-Oxley Act of 2002 (or SOX) family of accreditations. SSAE 16 reports are divided into types, as outlined here.
SSAE 16 Reports and Benefits
- SOC 1 Reports. SOC 1 reports provide assurance over the control frameworks in place for the outsourced provision of financial services. SOC 1 reports can be used by the external auditors of the provider’s clients as evidence that the provider’s controls are sound; the reports can greatly reduce client audit fees. There are two types of SOC 1 reports.
- SOC 1 Type 1 Reports. Type 1 reports give assurance as to the suitability of provider controls tested at a given point in time.
- SOC 1 Type 2 Reports. Type 2 reports cover a specific period of time (e.g., a specified 12-month period) and provide assurance to both the suitability and operating effectiveness of the controls being relied upon.
- SOC 2 Reports. SOC 2 reports provide assurance over key controls operated by data centers, IT managed services, tech and cloud-based businesses and Software as a Service (SaaS) providers. Like SOC 1 reports, they can be used by the external auditors of the providers’ clients as evidence that the provider’s controls are sound, and they can greatly reduce client audit fees. Just like the SOC 1 accreditation, SOC 2 reports can be either Type 1 or Type 2 (as described above).
- SOC 3 Reports. SOC 3 reports are similar to SOC 2 reports, but they do not detail specific testing performed or provide an audit opinion. SOC 3 reports are therefore designed only to be used for marketing purposes, not to provide assurance to auditors.
To use an example close to home: At Radius, we commission an independent firm of accountants to audit the key manual and automated controls we have in place over the main services we provide and the global IT environment we use to deliver those services. The independent firm provides us with a SOC 1 Type 2 report which we share with our clients and prospects (and their respective auditors), giving them comfort that our systems and processes are both robust and have operated reliably over the previous calendar year. (We also, incidentally, recently commissioned production of a SOC 2 audit.)
We regard this independent attestation process as an essential component of the services we provide. And in an increasingly stringent global regulatory environment, many of our clients demand third-party assurance that our key controls are robust and reliable. We provide the attestation reports to all our clients free of charge. It’s worth noting, however, that we do insist all recipients sign a non-disclosure agreement (NDA) with us, as the reports contain detailed descriptions of our controls and operational processes. This is an important point to remember when making third-party reports available to clients and prospects.
Perhaps it’s time for you to think about what external validations would be of most benefit to your customers so you can set yourself apart from the competition!