Making the Move from SAS 70 to SSAE 16A management decision-making guide for SOC1 reports issued under SSAE 16 |
In general, SSAE 16 replaces SAS 70 as the professional standard for service organizations to obtain an independent assessment about the effectiveness of internal controls that are relevant to their customer's financial statements. Although early adoption is permitted, SSAE 16 is effective for reporting periods ending on or after June 15, 2011.
This guidance was developed by Deloitte & Touche LLP to assist service organization management in addressing the implications of the AICPA SOC framework related to SSAE 16 and was developed with the following objectives in mind:
- To provide an understanding of the SOC1/SSAE 16 requirement for management's description of the system
- To provide an understanding of the SOC1/SSAE 16 requirement for management's assertion
- To facilitate the assessment and determination of management's risk posture
- To assist in the identification of relevant assertions
- To offer potential solutions for supporting management's assertion and description of the system
Note: Although elements of this framework may be relevant to SOC2 or SOC3, service organizations should consult with their service auditor for guidance regarding these special-purpose reporting options.
The guide covers the following information:
Building management's description of the system
- What is the description of the system?
- What are the required elements?
- What will the service auditor be evaluating?
- How can I effectively build the description?
Management's assertion
- What is the management assertion?
- Do I have a reasonable basis to support my assertion?
- What factors should I consider?
- Should I do more than I am already doing?
- How do I determine responsibility for the assertion?
- What are the consequences?
A Guide to Transitioning from SAS 70 to SSAE 16/SOC 1
(130.51 KB)
