Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is an auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 (SAS 70) and has been superseded by SSAE No. 18.
The “service auditor’s examination” of SAS 70 is replaced by a System and Organization Controls (SOC) report. SSAE 16 was issued in April 2010, and became effective in June 2011. Many organizations that followed SAS 70 have now shifted to SSAE 16. Some service organizations use the SSAE 16 report status to show they are more capable, and also encourage their prospective end-users to make having an SSAE 16 a standard part of new vendor selection criteria.
SSAE 16 mirrors the International Standard on Assurance Engagements (ISAE) 3402. Similarly, SSAE 16 has two different kinds of reports. A SOC 1 Type 1 report is an independent snapshot of the organization’s control landscape on a given day. A SOC 1 Type 2 report adds a historical element, showing how controls were managed over time. The SSAE 16 standard requires a minimum of six months of operation of the controls for a SOC 1 Type 2 report.