Skip to content
  • There are no suggestions because the search field is empty.

Compliance Reports: Statement on Standards for Attestation Engagements (SSAE 16)

Statement on Standards for Attestation Engagements (SSAE 16) is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) specifically geared towards addressing engagements conducted by service organizations to report on the design of controls and their operating effectiveness.

Dependencies

The SSAE 16 compliance reports have the following dependencies.

  • SA Rules:

    Accounts Created

    Accounts Deleted

    Accounts Modified

    Group Management

    Password Changes

    Password Changes Summary

    User Access Revoked

    Change in Audit Settings

    Admin Access to Compliance Systems Details

    Admin Access to Compliance Systems Summary

    Change in Audit Settings

    Access To Compliance Data Details

    Access to Compliance Data Summary

    Logon Failures Details

    Logon Failures Summary

    User Access to Compliance Systems Details

    User Access to Compliance Systems Summary

  • SA Lists:

    Administrative Users

    Compliance Data

    Compliance Systems

  • App Rules:

    account:created

    account:deleted

    account:modified

    account:logon-success

    config:change-audit-setting

    account:group-management

    account:logon-failure

    account:password-change

    access:user-access-revoked

    alm:cardholder-data


Citations

The SSAE 16 reports have the following Citations.

  • Report Rule: Accounts Created
  • Citation Number: SOX 404
  • Citation Description: Management assessment of internal controls.

  • Report Rule: Accounts Deleted
  • Citation Number: SOX 404; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1
  • Citation Description: Management assessment of internal controls; An access control policy should be developed and should state the access control rules and rights for all users and groups. Both logical and physical access controls should be used.

  • Report Rule: Accounts Modified
  • Citation Number: SOX 404
  • Citation Description: Management assessment of internal controls.

  • Report Rule: Group Management
  • Citation Number: SOX 404; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1
  • Citation Description: Management assessment of internal controls; An access control policy should be developed and should state the access control rules and rights for all users and groups. Both logical and physical access controls should be used.

  • Report Rule: Account Management
  • Citation Number: SOX 404
  • Citation Description: Management assessment of internal controls.

  • Report Rule: Admin Access to Compliance Systems - Detail
  • Citation Number: Sox 404; ISO 27002 - 10.10.4
  • Citation Description: Management assessment of internal controls; All activities by System Administrators and System Operators should be logged.

  • Report Rule: Admin Access to Compliance Systems - Top 25
  • Citation Number: Sox 404; ISO 27002 - 10.10.4
  • Citation Description: Management assessment of internal controls; All activities by System Administrators and System Operators should be logged.

  • Report Rule: Change in Audit Settings
  • Citation Number: SOX 404; ISO 15408-2
  • Citation Description: Management assessment of internal controls; The system should ensure that security policy enforcement functions succeed before functions are allowed to proceed.

  • Report Rule: Access to Compliance Data - Detail
  • Citation Number: SOX 404
  • Citation Description: Management assessment of internal controls.

  • Report Rule: Access to Compliance Data - Top 25
  • Citation Number: SOX 404
  • Citation Description: Management assessment of internal controls.

  • Report Rule: Logon Failures - Detail
  • Citation Number: SOX 404; ISO 27002 - 11.5.1
  • Citation Description: Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded.

  • Report Rule: Logon Failures - Top 25
  • Citation Number: SOX 404; ISO 27002 - 11.5.1
  • Citation Description: Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded.

  • Report Rule: Password Changes - Detail
    Password Changes - Top 25
  • Citation Number: SOX 404
  • Citation Description: Management assessment of internal controls.

  • Report Rule: User Access Revoked
  • Citation Number: SOX 404; ISO 27002 - 11.2.1
  • Citation Description: Management assessment of internal controls; Users who have changed jobs or left the organization should have their access rights removed immediately.

  • Report Rule: User Access to Compliance Systems - Detail
  • Citation Number: Sox 404; ISO 27002 -11.5.1
  • Citation Description: Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded.

  • Report Rule: User Access to Compliance Systems - Top 25
  • Citation Number: Sox 404; ISO 27002 -11.5.1
  • Citation Description: Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded.

docFeedback.png

You are here
Table of Contents > Compliance Reports: Statement on Standards for Attestation Engagements (SSAE 16)