AICPA SSAE16 Type II (formerly SAS 70)
Innovu is SSAE16 Compliant
Innovu engaged an accredited, third-party AICPA SSAE 16 auditing firm to create a set of audit control objectives that best reflect the key service quality indicators that measure operating effectiveness. The audit control objectives included all activities related to physical and logical security controls, data privacy, administration, vendor management, auditing/logging, disaster recovery, incident management and monitoring installation and configuration. Innovu was awarded this accreditation in September 2015 with zero reporting exceptions.
What is SSAE16?
The Statement on Standards for Attestation Engagements (SSAE) No. 16 is a standard that was created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). The SSAE 16 replaces the SAS70, which was the previous auditing standard for evaluating and reporting on controls implemented by service delivery organizations. Third-party auditing firms are engaged by service providers to review, analyze and evaluate the overall design and implementation of controls that affect their organization’s operating effectiveness. SSAE16 audit engagements conducted by these specialized third-party auditing firms result in the issuance of a SSAE 16 Type I or SSAE 16 Type II Report.
Type I vs. Type II Reports
A Type I report is technically known as a “Report on Management’s Description of a Service Organization’s System and the Suitability of the Design of Controls”, or simply known as an SSAE Type I report.
A Type II Report, it is technically known as a “Report on Management’s Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of Controls”, or simply known as an SSAE Type II report.
The key distinction between the two reports is that the Type II report contains an evaluation of the effectiveness of the Design Controls that have been implemented by the service delivery organization while the Type I contains just the description of the Design Controls in place. Type II reports also provide a detailed analysis on the effectiveness of the processes, technologies and oversight the service provider has implemented to achieve the control objectives. The Type II audit requires on-site inspection and in-person employee interviews to confirm that the controls presented are actually functioning as represented.