This question was asked by an attendee at a recent Proformative SAS 70/SSAE 16 event: What is the smallest sized company that has to conform to the new AICPA SSAE16 standards?
What is the smallest sized company that has to conform to the new AICPA SSAE16 standards?
Answers
Size doesn't matter here - what matters is the relevance of the service organization to the user's operating environment and, for SSAE 16, to the user's financial statements. If a very small company has a material impact on many other small companies' environment, the SSAE 16 is an applicable report. If the company would like to grow, mid-sized and larger companies will look to make sure that their existing control environments will not be weakened by integrating the service provider into their organization's processes.
One person...because the AICPA SSAE 16 standard applies to CPAs not service organizations. Was that a trick question?
In my view, the SSAE 16 reports (used to be SAS70) is primarily an