What is a SSAE 16 report anyway? SSAE 16 stands for Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization, and was finalized in January 2010 by the Auditing Standards Board of the AICPA. SSAE 16 replaced SAS 70 as the authoritative guidance for reporting on service organizations. The relevant report you will receive falling under this guidance is called a Service Organization Controls (SOC) 1 Report, which can be one of two types:
- In a SOC 1 Type I report, the auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of controls to achieve the related control objectives included in the description for a specific point in time.
- In a SOC 1 Type II report, the auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability and operating effectiveness of the design of controls to achieve the related control objectives included in the description over a period of time. Generally, this is the most common type of report you will receive from your service providers.
Where do I get it? Your service providers (for example your plan’s recordkeeper, trustees, or other advisers) typically issue this report on an annual basis, and if it is not already made available to you, should be provided upon request. Remember, if your plan requires an audit, this will be requested by the auditor anyway, so this is a great time to review the report yourself.
What am I looking for in it? At first glance this report can be overwhelming, so just focus on the key items relevant to you:
- Auditor’s Opinion – Read the opinion paragraph seen in the Independent Auditor’s Report at the beginning of the document. Is it modified? Are there exceptions noted in the opinion? If you answer yes to either of these, you should determine if these will impact your plan participants or any other reports provided by your service provider.
- Subservice Organizations – Often, your service provider will use other organizations in their operations. If a referenced subservice organization isn’t included in your SOC 1 report (also referred to as “carved-out”), consider whether it is significant to your Plan (if it directly impacts the Plan and its data). If it is, you should obtain the subservice organization’s report, too.
- Testing of Operating Effectiveness of Key Controls – Review all testing performed by the independent auditor for any exceptions. If there are any exceptions, review the management’s response and determine if these will impact your plan participants or any other reports provided by your service provider.
- Complementary User Entity Controls – Your service provider will point out these controls that must be in place at the plan sponsor in order for reliance to be placed on the controls listed in the SSAE 16 report. It is extremely important that you review these and verify you have all applicable procedures in place.
For more information, read the standard at www.aicpa.org.
By Audrey D. Richards