GLOSSARY OF SSAE 16 TERMS

Source: Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization

Carve-out method: Method of addressing the services provided by a subservice organization whereby management’s description of the service organization’s system identifies the nature of the services performed by the subservice organization and excludes from the description and from the scope of the service auditor’s engagement, the subservice organization’s relevant control objectives and related controls. Management’s description of the service organization’s system and the scope of the service auditor’s engagement include controls at the service organization that monitor the effectiveness of controls at the subservice organization, which may include management of the service organization’s review of a service auditor’s report on controls at the subservice organization.

Complementary user entity controls: Controls that management of the service organization assumes, in the design of the service provided by the service organization, will be implemented by user entities, and which, if necessary to achieve the control objectives stated in management’s description of the service organization’s system, are identified as such in that description.

Control objectives: The aim or purpose of specified controls at the service organization. Control objectives address the risks that controls are intended to mitigate. Controls at a service organization: The policies and procedures at a service organization likely to be relevant to user entities’ internal control over financial reporting. These policies and procedures are designed, implemented, and documented by the service organization to provide reasonable assurance about the achievement of the control objectives relevant to the services covered by the service auditor’s report.

Controls at a subservice organization: The policies and procedures at a subservice organization likely to be relevant to internal control over financial reporting of user entities of the service organization. These policies and procedures are designed, implemented, and documented by a subservice organization to provide reasonable assurance about the achievement of control objectives that are relevant to the services covered by the service auditor’s report.

Criteria: The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter.

Inclusive method: Method of addressing the services provided by a subservice organization whereby management’s description of the service organization’s system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization’s relevant control objectives and related controls.

Internal audit function: The service organization’s internal auditors and others, for example, members of a compliance or risk department, who perform activities similar to those performed by internal auditors.

Service auditor: A practitioner who reports on controls at a service organization.

Service organization: An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities’ internal control over financial reporting.

Service organization’s system: The policies and procedures designed, implemented, and documented by management of the service organization to provide user entities with the services covered by the service auditor’s report. Management’s description of the service organization’s system identifies the services covered, the period to which the description relates (or in the case of a type 1 report, the date to which the description relates), the control objectives specified by management or an outside party, the party specifying the control objectives (if not specified by management), and the related controls. SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16 addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.

SSAE 16 Type 1 Report: This type of report comprises the following:

a. Management’s description of the service organization’s system.

b. A written assertion by management of the service organization about whether, in all material respects, and based on suitable criteria,

i. management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date.

ii. the controls related to the control objective stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives as of the specific date.

c. A service auditor’s report that expresses an opinion on the matters listed above.

SSAE 16 Type 2 Report: This type of report comprises the following:

a. Management’s description of the service organization’s system.

b. A written assertion by management of the service organization about whether, in all material respects, and based on suitable criteria,

i. management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented throughout the specified period.

ii. the controls related to the control objective stated in management’s description of the service organization’s system were suitably designed throughout the specified period to achieve those control objectives.

iii. the controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives.

c. A service auditor’s report that

i. expresses an opinion on the matters listed above.

ii. includes a description of the test of controls and the results thereof.

Subservice organization: A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.

System: The procedures, people, software, data and infrastructure organized to achieve a specific objective.

Test of controls: A procedure designed to evaluate the operating effectiveness of controls in achieving the control objectives stated in management’s description of the service organization’s system.

User auditor: An auditor who audits and reports on the financial statements of a user entity.

User entity: An entity that uses a service organization.