What is SSAE 16?

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of standards developed specifically for certified public accountants (CPAs) to evaluate an organization’s internal controls and how service companies report on these controls. SSAE was published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). 

Auditors use SSAE 16 as a guide when clients pursue either a SOC 1 Type 1 or SOC 1 Type 2 report. A SOC 1 Type 1 report is an independent snapshot to reflect the status of an organization’s control landscape on a given day. A SOC 1 Type 2 report adds historical data to show how controls were managed or changed over time. 

SSAE 16 is used by auditors to help them with the discovery of controls, including security controls, in all types of organizations, such as data centers, internet service providers (ISPs) and other entities that incorporate information security controls. These standards help both organizations and auditors show information security compliance with regulations.