What is SSAE 16?

Statement on Standards for Attestation Engagements (SSAE) No. 16 establishes standards for obtaining audits of a Service Organizations internal controls. SSAE 16 reports most often apply to companies (Service Organizations) who provide outsourced-type services to their customers. The purpose of an SSAE 16 audit is to provide customers (and their auditors) with comfort that the outsourced services are being performed in a controlled environment. Examples of industries who generally obtain SSAE 16 reports include: Datacenters/Co-location facilities Payroll Processors Network Monitoring Services Financial Institution Support Services Software as a Service (SaaS) providers Claim Processors Service Organizations may also obtain audits of specific defined control criteria that meet customer requirements beyond that of an SSAE 16 report. These audits are performed under the guidelines of AT 101 and specifically address risks around IT-enabled systems including Security, Availability, Processing Integrity, Confidentiality and Privacy criteria based on SysTrust and WebTrust principles.

Types of Reports
Under the guidelines of SSAE 16 and AT 101, Service Organizations can obtain the following types of Service Organization Controls (SOC) Reports: SOC 1 (SSAE 16) report on controls objectives defined by the Service Organization which may be relevant to the customers internal control over financial reporting; result in the creation of an audit report for limited distribution to customers (and their financial auditors); corresponds to the former SAS 70 Type II report; currently considered the most popular type of SOC report. SOC 2 (AT 101) report on controls at a Service Organization that relate to some or all of the defined control criteria (Security, Availability, Processing Integrity, Confidentiality and Privacy); results in the creation of an audit report for limited distribution to customers; currently considered mostly as a marketing tool to differentiate a Service Organization from its competition. SOC 3 (AT 101) report on controls at a Service Organization that relate to some or all of the defined control criteria (Security, Availability, Processing Integrity, Confidentiality and Privacy); results in the issuance of an electronic seal that can be placed on the customers website; currently considered mostly as a marketing tool to differentiate a Service Organization from its competition.

The Holtzman Partners Advantage

Holtzman Partners, LLP performs SSAE 16 audits for companies in a variety of industries and we believe that our firm offers the following advantages in providing these services: Deep and relevant internal control experience High report quality Experience with a variety of industries No surprise audits Audit partner and manager involvement Reasonable fee structure First year audit preparation assistance Long term relationship focused Standardized approach tailored to each client Global audit reach (through PKF Alliance) Control Database (for benchmarking)
Holtzman Partners, LLP 1710 West Sixth Street Austin, Texas 78703 phone 512.610.7200 fax 512.610.7201 www.holtzmanpartners.com