[6] SAS 70: In April 1992, the AICPA published Reports on the processing of transactions by service organizations; Statement on auditing standards, 070, which provides guidance when auditing the financial statements of an entity that uses a service organization to process transactions that affect financial reporting.
[12] SSAE 16: In April 2010, the AICPA published Statement on Standards for Attestation Engagements no.
It included criteria to supplement COSO principle 12 by addressing controls for logical and physical access, system operations, change management, and risk mitigation.
[19] There have been some notable developments in information assurance audit standards since the initial release of SSAE no.
Cybersecurity Risk Management Reporting Framework: In 2017 the AICPA Assurance Services Executive Committee’s (ASEC) published new and revised materials that together form a cybersecurity risk management reporting framework.
The framework is intended to assist organizations in their description of cybersecurity risk management activities.
The three resources that form the framework are:[20][21][22] Trust Services Criteria (TSC): In 2017, as part of the Cybersecurity Risk Management Reporting Framework, the AICPA Assurance Services Executive Committee (ASEC) released updates to the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, referred to as control criteria by the ‘’Cybersecurity Risk Management Reporting Framework’’.
18, contains requirements and guidance for examining or performing agreed-upon procedures on prospective financial information.
18, contains requirements and guidance for performing the following types of engagements: AT-C section 320, sourced from SSAE No.
18, effective on June 1, 2001, contains requirements and guidance for attestation engagements regarding management's discussion and analysis (MD&A), such as those presented in annual reports to shareholders.
SSAE 18 section 320, titled "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting", defines two types of report formats, type 1 and type 2, that vary in their content, which further differentiates the level of service to be performed in an attestation engagement for this subject matter:[4][32] SSAE 18 states that it may be applicable to any subject matter, though the nature of the subject matter is a key factor in determining which sections of the standard are applicable and which attestation engagement service level the practitioner may perform.
All attestation engagements are predicated on the concept that the practitioner reports an opinion about a statement, description, or assertion made by the responsible party about a subject matter.