Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is an auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 (SAS 70) and has been superseded by SSAE No. 18.

The "service auditor’s examination" of SAS70 is replaced by a System and Organization Controls (SOC) report. SSAE16 was issued in April 2010, and became effective in June 2011. Many organizations that followed SAS70 have now shifted to SSAE16.[citation needed] Some service organizations use the SSAE16 report status to show they are more capable, and also encourage their prospective end-users to make having an SSAE16 a standard part of new vendor selection criteria.[citation needed]

SSAE16 mirrors the International Standard on Assurance Engagements (ISAE) 3402. Similarly, SSAE16 has two different kinds of reports. A SOC1 Type 1 report is an independent snapshot of the organization's control landscape on a given day. A SOC1 Type 2 report adds a historical element, showing how controls were managed over time. The SSAE16 standard requires a of the controls for a SOC1 Type 2 report.[citation needed]

Public companies in the United States fall under the Public Company Accounting Reform and Investor Protection Act, also known as Sarbanes–Oxley or SOX. However, there are also a number of provisions of the Act (e.g. the willful destruction of evidence to impede a federal investigation) that apply to privately held companies.[citation needed] SSAE16 reporting can help service organizations comply with Sarbanes–Oxley's requirement (section 404) to show effective internal controls covering financial reporting. It can also be applied to data centers or any other service that might be used in the delivery of financial reporting.

For reports that are not specifically focused on internal controls over financial reporting, the American Institute of Certified Public Accountants (AICPA) has issued an Interpretation under AT Section 101 permitting service auditors to issue reports. These reports will now be considered SOC2 audits and focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SSAE16 provides guidance on an auditing method, rather than mandating a specific control set. In this respect, it is similar to ISO 27001:2013.

Technology services

In technology SaaS companies, the SOC 2 audit is purchased to provide an assurance on various aspects of the software including security, availability, and processing integrity.

Modern SaaS organizations often use compliance automation platforms to maintain "audit-readiness" by continuously monitoring these controls.