Understanding SSAE16 IT Requirements

How to bring your network and data into compliance with the Statement on Standards for Attestation Engagements


SSAE No. 16 is a regulation created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for redefining and updating how service companies report on compliance controls. SSAE 16 has replaced SAS 70 with a new framework for reporting on controls at service organizations. SSAE 16 now requires a written statement of assertion to the auditor that their controls description accurately represents their business operations, with two types of audits:

  • Type 1 – Auditors test the accuracy of the service provider’s description and assertion.
  • Type 2 – Auditors test the accuracy of the service provider’s description and assertion, as well as the implementation and effectiveness of controls over a specific period of time.

In addition to SSAE 16, a new framework for examining the controls at service organizations has been established – SOC 1, SOC 2, & SOC 3 provides service organizations with an effective means for reporting on their control.

SOC 1 is focused on the financial reporting controls. SOC 2 report focuses on a business’s non-financial reporting controls as they relate to the security, availability, processing integrity, confidentiality, and privacy of a computer system. SOC 3 is focused on e-commerce.

Feature-Requirement Map

There is no line item or checkbox that directly pertains to Varonis, but here’s how Varonis can help with efficiently reporting on controls:

Requirement Description Varonis Product/Feature
Within the SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles (TSP) that are composed of the following five (5) sections: 1. The security of a service organization’s system.

2. The availability of a service organization’s system.

3. The processing integrity of a service organization’s system.

4. The confidentiality of the information that the service organization’s system processes or maintains for user entities.

5. The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.

Governance The Varonis IDU Classification Framework and Varonis DatAdvantage help identify files and SharePoint sites containing personal information, determine who has access to it, who is using it, and who should be responsible (data owners) – all of which are easily reportable. Varonis DataPrivilege helps organizations not only define the policies that govern who can access, and who can grant access to unstructured data, but it also enforces the workflow and the desired action to be taken (i.e. allow, deny, allow for a certain time period). Availability is enhanced as undesirable activities changes may be detected and corrected. Integrity is enhanced as the ability to make modifications to processed data is restricted to those systems and users that require the ability to make changes and all modifications to processed data are recorded. Confidentiality is improved as access to data better conforms to a least privilege model, and unusual access patterns are detected. Privacy of personal information is enhanced as this data is easily identified, access to it is restricted, and its use monitored. (Security is defined as the combination of Confidentiality, Integrity, and Availability) This has a two-fold effect on the security, availability, integrity, confidentiality and privacy of systems:

1) it unites all of the parties responsible including data owners, auditors, data users and IT around the same set of information and 2) it allows organizations to continually monitor the access framework in order to make changes and optimize both for compliance and for continuous enforcement of warranted access.

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767