Compliance Reports: Statement on Standards for Attestation Engagements (SSAE 16)

Document created by RSA Information Design and Development on May 25, 2016•Last modified by RSA Information Design and Development on Jun 17, 2019

Version 179Show Document

Like • Show 1 Like1
Comment • 0
View in full screen mode

Statement on Standards for Attestation Engagements (SSAE 16) is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) specifically geared towards addressing engagements conducted by service organizations to report on the design of controls and their operating effectiveness.

Dependencies

The SSAE 16 compliance reports have the following dependencies.

SA Rules	SA Lists	App Rules
Accounts Created Accounts Deleted Accounts Modified Group Management Password Changes Password Changes Summary User Access Revoked Change in Audit Settings Admin Access to Compliance Systems Details Admin Access to Compliance Systems Summary Change in Audit Settings Access To Compliance Data Details Access to Compliance Data Summary Logon Failures Details Logon Failures Summary User Access to Compliance Systems Details User Access to Compliance Systems Summary	Administrative Users Compliance Data Compliance Systems	account:created account:deleted account:modified account:logon-success config:change-audit-setting account:group-management account:logon-failure account:password-change access:user-access-revoked alm:cardholder-data

SA Rules

SA Lists

App Rules

Accounts Created

Accounts Deleted

Accounts Modified

Group Management

Password Changes

Password Changes Summary

User Access Revoked

Change in Audit Settings

Admin Access to Compliance Systems Details

Admin Access to Compliance Systems Summary

Change in Audit Settings

Access To Compliance Data Details

Access to Compliance Data Summary

Logon Failures Details

Logon Failures Summary

User Access to Compliance Systems Details

User Access to Compliance Systems Summary

Administrative Users

Compliance Data

Compliance Systems

account:created

account:deleted

account:modified

account:logon-success

config:change-audit-setting

account:group-management

account:logon-failure

account:password-change

access:user-access-revoked

alm:cardholder-data

Citations

The SSAE 16 reports have the following Citations.

Report Rule	Citation Number	Citation Description
Accounts Created	SOX 404	Management assessment of internal controls.
Accounts Deleted	SOX 404; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1	Management assessment of internal controls; An access control policy should be developed and should state the access control rules and rights for all users and groups. Both logical and physical access controls should be used.
Accounts Modified	SOX 404	Management assessment of internal controls.
Group Management	SOX 404; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1	Management assessment of internal controls; An access control policy should be developed and should state the access control rules and rights for all users and groups. Both logical and physical access controls should be used.
Account Management	SOX 404	Management assessment of internal controls.
Admin Access to Compliance Systems - Detail	Sox 404; ISO 27002 - 10.10.4	Management assessment of internal controls; All activities by System Administrators and System Operators should be logged.
Admin Access to Compliance Systems - Top 25	Sox 404; ISO 27002 - 10.10.4	Management assessment of internal controls; All activities by System Administrators and System Operators should be logged.
Change in Audit Settings	SOX 404; ISO 15408-2	Management assessment of internal controls; The system should ensure that security policy enforcement functions succeed before functions are allowed to proceed.
Access to Compliance Data - Detail	SOX 404	Management assessment of internal controls.
Access to Compliance Data - Top 25	SOX 404	Management assessment of internal controls.
Logon Failures - Detail	SOX 404; ISO 27002 - 11.5.1	Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded.
Logon Failures - Top 25	SOX 404; ISO 27002 - 11.5.1	Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded.
Password Changes - Detail Password Changes - Top 25	SOX 404	Management assessment of internal controls.
User Access Revoked	SOX 404; ISO 27002 - 11.2.1	Management assessment of internal controls; Users who have changed jobs or left the organization should have their access rights removed immediately.
User Access to Compliance Systems - Detail	Sox 404; ISO 27002 -11.5.1	Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded.
User Access to Compliance Systems - Top 25	Sox 404; ISO 27002 -11.5.1	Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded.

You are here

Table of Contents > Compliance Reports: Statement on Standards for Attestation Engagements (SSAE 16)

Compliance Reports: Statement on Standards for Attestation Engagements (SSAE 16)

Dependencies

Citations

Attachments

Outcomes

Related Content

Recommended Content

Incoming Links