SSAE 16 and Trust Services Principles & Criteria

Beyond the SAS 70 checkmark to a thoughtful approach to service provider governance.

SSAE 16 raises the bar for service providers. The new standard also places more emphasis on the service provider ensuring their report is developed consistently with services their users depend on. SSAE 16 applies only circumstances when a service provider output has some relevancy to the “internal control over financial reporting” of their users.

So while, in the past, many companies thought of a SAS 70 report as a one-sized fits all approach, that notion is clearly and strongly dispelled by SSAE 16. This is critically important as more and more cloud computing models come online and become mission critical components to users of those services, both the user of the service and provider of the service need more transparency around the nature of services provided, the risks they represent, and the design and operational effectiveness of controls that mitigate those risks. In many cases, SSAE 16 is a proper report for service providers. In many cases it is not – each situation needs to be carefully assessed – by both the user of the services and the provider of services, so that any risk management program undertaken makes good business to all, rather than going through the motions of providing a report that serves to complete a checkmark.

To learn more about Trust Services Principles and Criteria, click here.

NEW!
Case Study: Enhanced Reporting Gives Investors and Brokers Peace of Mind