If you have never been audited before, as is the case with many service organizations, you are probably wondering what kind of documentation will I need to give the auditors? What will they do with it once they have it?

A high level explanation per the SSAE 16 Guidance:

(1) access to all information, such as records and documentation, including service
level agreements, of which management is aware that is relevant to the
description of the service organization’s system and the assertion;
(2) additional information that the service auditor may request from management for
the purpose of the examination engagement;
(3) unrestricted access to personnel within the service organization from whom the
service auditor determines it is necessary to obtain evidence relevant to the
service auditor’s engagement; and
(4) written representations at the conclusion of the engagement

Basically, you must give up anything needed by the service auditor that will permit them to attest to “Management’s description of the service organization’s system”, the main change associated with SSAE 16.

Many of the controls at your organization will be reliant upon documents such as service level agreements and subservice organization’s SSAE 16 reports. Controls will also require you to pass off policies and procedures, organizational charts, job descriptions, firewall configurations, and other internal documentation.

The most intrusive part of the SSAE 16 Review is that the auditors will need to talk to any and all of the employees that have a role in performing the controls being tested. Without that access, it would be impossible for the auditors to have a clear understanding of the processes when testing your controls. However, this shouldn’t be viewed as a negative, it will help your employees improve their processes in the future by gaining tips and insight from the auditors that will help them be better prepared for next year’s audit. Also, it will help clear up any potential findings or issues the auditors find, as in many cases there is no problem and an explanation is all that is needed, making the audit go MUCH smoother.

All of the documentation and information provided will never be seen by anyone other than the auditors performing the testing. The documentation is needed for the service auditors to assess the design and operating effectiveness of your controls. Once the testing and review phases are complete, your report will be issued and all that will be included is whether you either passed or failed that control, so don’t worry!

If you have any questions feel free to leave them in the comments section below and we will do our best to respond!

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

The biggest update in SSAE 18 as it relates to this post is a Company is now required to provide the auditor a detailed risk assessment based around key internal risks where there is potential for material misstatement and supporting controls.

Please use the contact provider form to connect with a qualified professional to answer anymore questions.