Certification & Compliance: What is SSAE 16?

Behind the Internet

The first installment in a series on certification and compliance, this report looks at Statements on Standards for Attestation Engagements 16 (SSAE 16):

  • What is SSAE 16?
  • What is the AICPA?
  • Changing Uses of the SSAE 16 Report
  • Difference Between Type I and Type II
  • Relationship to Sarbanes-Oxley
  • Conclusion

What is SSAE 16?

SSAE 16 is a standard developed by the American Institute of Certified Public Accountants (AICPA) to delineate an objective understanding of “how service companies [should] report on compliance controls,” writes Margaret Rouse for TechTarget. In use since June 15, 2011, SSAE 16 replaced SAS 70, a standard first release in April 1992.

SSAE 16 is essentially intended as an update and improvement of SAS 70. One new feature is that leadership at the service organization must give the auditors a signed statement that describes the organizational system. This assertion must include the types of services offered by the company and any business tasks that impact clients. Any company seeking certification must additionally verify that the statement fits the intentions of its control mechanisms and the time window established for analysis.

What is the AICPA?

With over 400,000 members in almost 150 nations, the American Institute of Certified Public Accountants has more constituents worldwide than any other accounting professional association. It was formed in 1887, and its membership comes from all fields of accounting – business, public practice, government, academia, and third-party analysis.

The AICPA establishes ethical guidelines for all accountants, as well as American standards for proper accounting within for-profit firms, charities, and governmental agencies. It designs and administers the Uniform CPA Examination, along with providing specific certifications for accountants who focus on independent investing, forensics, enterprise worth determination, and technological compliance. Together with the Chartered Institute of Management Accountants, the AICPA has introduced the chartered global management accountant title to standardize that particular branch of accounting.

Changing Uses of the SSAE 16 Report

This report is being used more broadly than it was in the past. In order to stay legal, financial firms must show that they are controlling independent service providers sufficiently, as can be confirmed with an SSAE 16 survey. Similarly, companies that deliver services to medical providers and other healthcare firms want to complete SSAE 16 auditing so that their clients know an objective outside entity has checked the mechanisms that safeguard HIPAA protected health information (PHI).

Difference Between Type I and Type II

There are two types of SSAE 16 report, and there is a huge difference between the two. If you see that an organization is certified as Type II, that’s the only way you know it has passed rigorous testing.

Type I – reports on controls placed in operation

As its rather straightforward name suggests, this type of report covers all control mechanisms that are established on a particular date. The auditor determines if the mechanisms are provided clearly and comprehensively; whether they are sufficient to meet necessary ends; and whether they were set up on a certain date. Note that these certifications are only relevant to a single chosen day, so they are unimpressive to anyone familiar with the other report type.

Type II – report on controls placed in operation and tests of operating effectiveness

Again, as indicated by the obvious title, this type tests the mechanisms in operation. What is not made clear by its name is that this certification gauges an entire stretch of time, making it exponentially more reliable. Thus, this report covers all control mechanisms established for a length of time, generally at least six months. It includes the parameters of Type I certification, along with their effectiveness at serving their intended purpose during the monitoring window. Those looking for SSAE 16 certified vendors and partners appreciate the more expansive reach of this report type.

Relationship to Sarbanes-Oxley

When the Sarbanes-Oxley Act of 2002 was passed into law, the relevance of this standard was amplified. Sarbanes-Oxley (SOX) chose the COSO model to organize controls, the model that has always been the basis for SAS 70 / SSAE 16. SOX, which increased the attention paid to knowledge of control mechanisms that protect the authenticity of finance reporting, listed a Type II report as the one legitimate way for an outside entity to verify the controls of a service provider.


At Superb Internet, we believe strongly in showing that our facilities, staff, and systems meet objective guidelines when evaluated by credible third parties. All three of our data centers are audited to meet SSAE 16, a standard of control reporting as described above. Our staff is certified to follow the practices of the ITIL (formerly called the Information Technology Infrastructure Library), which essentially integrates IT objectives with business objectives. Our systems are registered for fulfilling the stipulations of the International Standards Organization’s ISO 9001:2008, which determines the ability of a company to consistently and legally provide services that maintain acceptable quality.

Get fully compliant dedicated server hosting you can trust today.

By Kent Roberts