SSAE 16 Implements Safeguards Rule In Gramm-Leach-Bliley Act

Thanks, guys.

Phil Gramm, Jim Leach and Thomas Bliley, authors of the Gramm-Leach-Bliley Act

SSAE 16 establishes Service Organization Controls


  • The  GRAMM-LEACH-BLILEY ACT  requires new IT  system controls.
  • Safeguards Rule requires IT system controls certified.
  • SSAE 16 guidelines replaces SAS 70 audit reports.

The Statement of Standards for Attestation Engagements, No. 16 (SSAE 16) issued April 2010 by American Institute of Certified Public Accountants (AICPA) Auditing Standards Board became effective on June 15, 2011.  SSAE 16 is  in response to the dictates of the Safeguards Rule contained in the Gramm-Leach-Bliley Act that became law on November 12, 1999, establishes a universal standard for service organization and user audits. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions, that collect information from their own customers, but also to financial institutions such as credit reporting agencies, appraisers, and mortgage brokers that receive customer information from other financial institutions. (For details see Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. §§ 6801)

Audit opinions and reports such as SAS 70 will no longer be acceptable because they were based on inadequate guidelines for auditing evaluations and testing of security, availability, processing integrity, confidentiality or privacy of information technology infrastructures. As such, SAS 70 did not provide adequate assurance that the safety controls of a service organization were sufficient for the protection of user entities. Audits are now performed according Service Organizational Controls (SOC) established by American Institute of Certified Accounting Professionals  (AICPA) with the passage Statement of Standards for Attestation Engagements (SSAE) 16 in April 2010.

SSAE 16 requires the same level of evidence and assurance that sufficient controls are in place that was intended under a SAS 70 service auditor engagement. Unfortunately, SAS 70 standards failed to define the degree and type of auditing necessary to provide adequate security and privacy .

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties in compliance with GRAMM-LEACH-BLILEY ACT.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.


Leave a Reply

Your email address will not be published. Required fields are marked *

Go back to top