The AICPA issued Technical Practice Aids (TPAs) 9520.12–.26 to provide nonauthoritative guidance regarding Statement on Standards for Attestation Engagements (SSAE) no. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801).
The TPAs provide guidance for service auditors reporting on controls at a service organization relevant to user entities’ internal control over financial reporting (ICFR), and also to user auditors who audit the financial statements of entities that use a service organization. SSAE no. 16 supersedes the guidance for service auditors that is in Statement on Auditing Standards no. 70, Service Organizations (AICPA, Professional Standards, AU sec. 324). The guidance for user auditors will remain in the auditing standards.
The TPAs cover topics including the effect of moving the guidance for service auditors from the auditing standards to the attestation standards, the changes introduced by SSAE no. 16, the content of management’s assertion, determining whether an outside CPA firm that performs significant accounting and financial reporting processes and controls for a user entity is a service organization, and reporting on a service auditor’s engagement under both SSAE no. 16 and International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization.
In addition, TIS section 9530, Service Organization Controls (SOC) Reports, in AICPA Technical Practice Aids was issued to include TPAs 9530.01–.22 to provide nonauthoritative guidance on reporting on controls at a service organization relevant to subject matter other than user entities’ ICFR, specifically controls at a service organization relevant to the security, availability or processing integrity of a system or the confidentiality or privacy of the information the system processes. This engagement uses the Trust Services criteria to evaluate the attributes of a system. These TPAs provide information about and differentiate the three SOC engagements included in the SOC report series (SOC 1 for SSAE no. 16 engagements, and SOC 2 and SOC 3 for reporting on controls over the attributes of a system using the Trust Services criteria).

The TPAs provide information about the source of the guidance for performing and reporting on these engagements, and the authority of the new SOC 1 and SOC 2 guides. The section also includes a table that (1) identifies a variety of attestation engagements that involve reporting on controls and (2) the appropriate attestation standard or interpretive guidance to be used in the circumstances.

Recently issued TPAs are available at

More from the JofA:

 Find us on Facebook  |   Follow us on Twitter  |   View JofA videos


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.