My middle school daughter has a new word: Confuzzled. She is confuzzled by her algebra homework, confuzzled as to why I won’t let her have ice cream before dinner, and confuzzled that there was once a time when you had to answer the phone without knowing who was on the other end. Urbandictionary.com says that confuzzled is a merge of the words “confused” and “puzzled”, but it hasn’t made its way to Webster’s yet. I haven’t corrected her for using a word that isn’t actually a word because I think it’s harmless and well, quite frankly, cute.
That being said, I am confuzzled. More and more often I see service organizations claim to be SSAE 16 certified. I’m here to set the record straight. There is no such thing as SSAE 16 certification. Service auditors are engaged to undergo an attestation engagement to report on controls at a service organization, which results in the issuance of a Service Organization Controls (SOC) report.
Generally, here is how it works. If a service organization determines that they need to assure their customers (user organizations) that the service organization controls affecting the user organization’s internal control over financial reporting are sufficient and functioning properly, they will engage a qualified
For example, it is common that an organization that processes medical claims for health insurance companies would obtain a SOC report to provide assurance about their controls to their customers. The health insurer is responsible for the accuracy of the data provided by the claims processor, so the health insurer should expect the claims processor to provide assurance that they have sufficient controls to ensure the accuracy of the data.
As part of the attestation engagement, the service organization must provide the service
In the Service Organization Controls (SOC) report itself, the service auditor expresses as opinion on the information provided by
So, there’s a SSAE 16/SOC 1 engagement in a nutshell. As was the case with SSAE 16’s predecessor, SAS 70, the misconception about certification has been perpetuated in today’s business environment. Just remember that because every service organization is unique, SSAE 16 examinations cannot be standardized and boiled down to a certification. I hope I’ve helped to clear up some of the confuzzlement.