SSAE No. 21 & SSAE No. 22: What You Need to Know

Auditwerx Triangle Logo

Share this post

Blog SSAE No. 21 & SSAE No. 22 What You Need to Know

It can be a challenge to keep up with all the changes to compliance standards and reporting. It’s important that your assessor has the knowledge to help your service organization navigate the ever-evolving world of SOC* compliance. Let’s take a look at two recent changes, SSAE No. 21 & SSAE No. 22. 

SSAE No. 21 Key Points

SSAE No. 21 adds a new section (AT-C Section 206) to the reporting standards that provides your assessor with additional direction as it relates to direct assessments. Practitioners would be able to provide an assessment opinion for measurements on both financial and non-financial topics related to relevant criteria. 

This change is meant to help assessors be more flexible to the changing security landscape, and allow for assessment of evolving technologies, providing a third-party assessment of things that are very specific to your industry. 

Along with the new guidance on direct assessments, SSAE No. 21 also adds clarification for specific terms in AT-C Section 105, Concepts Common to All Attestation Engagements. 

This amendment will be effective for reports dated on or after June 15, 2022. The AICPA has made the guidelines available for practitioners to prepare for implementation. 

Learn more: AICPA SSAE No. 21 at a Glance 

SSAE No. 22 Key Points

SSAE No. 22 is meant to add additional transparency to review engagements. Typically, during a review engagement, the assessor is provided with a limited assurance that specified controls meet necessary guidelines. This update does 3 main things: 

  1. It offers clarity to practitioners on the purpose of a review engagement – that it is meant to obtain a limited assurance, not that it is necessary to complete analysis of the assertion. 
  2. It promotes transparency by detailing the procedures completed in order to obtain the limited assurance. 
  3. It allows an assessor to issue an adverse opinion in the event that the subject material is not communicated in accordance with the guidelines or there is insufficient evidence. 

This amendment will be effective for reports dated on or after June 15, 2022. The AICPA has made the guidelines available for practitioners to prepare for implementation.  

Learn more: AICPA SSAE No. 22 at a Glance 

Choose an Experienced SOC* Partner

When it comes to your SOC* assessment, it’s important to have a partner you can trust. With over 2,500 compliance reports completed, our assessment team has the industry expertise you need to take your compliance goals from overwhelming to under control. Contact a specialist today to learn about our simple SOC process.  

Additional Resources

We use cookies to ensure the best experience. By accessing our site, you agree to our cookie policy.