Tag: controls

SSAE 18 (SSAE 16) Preparation Tips

This tip is focused on designing controls that reflect the process being testing, if they don’t, a headache of massive proportions will be created once testing begins. What do you do to make sure you don’t screw this up? Have as many meetings as it takes to get it right. What you need to do is sit down with the auditors, the department lead, the main employees responsible for performing the process, and anyone else whom could either play a role in testing or modifying the control in the future. Once that is done, Management should discuss what they determined the control to be and how it should operate, that is then reviewed by the auditors, and then the employees performing the tasks should be reconsulted to verify that the control still reflects their process accurately. Many times people try to speed this process up and slack on it, leaving many open items which upon testing could easily blow up into a huge problem. When the control isn’t 100% agreed upon prior to testing and a deviation is noted, it’s a tough call between failing the control and the ability to adjust it to accurately reflect the process. The problem is modifying a control after testing has begun is not proper and needs to be avoided at all costs. Locking the controls locked down early on could save weeks in wrapping up your new SSAE 16 Report. We have seen issues like this cause delays in issuing of the report

Read More »

Example SSAE 16 Controls – Firewall

Another series we will have periodic posts about will be related to potential controls that would be expected to be in place, almost regardless of the entity in question. This will be a real basic one to help get everyone up to speed, we will delve into other areas that may be a little more advanced in the future. Example: Firewalls are in place at all externally facing access points. The point of this control is to ensure that firewalls are being used at the organization to help prevent hacking attempts, thus, the theft of data. Companies outsourcing their workloads want to have comfort that the company performing the work has adequate security measures in place to lower the chance of their data being stolen. Firewalls are some of the most basic devices that need to be in place at a business to protect data and if your business does not currently employ firewalls on their network, it is a must do and should be looked into immediately.

Read More »

SSAE 16 Terminology – Controls at a Service Organization

Controls at a Service Organization refer to the controls that are in place at your company. Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control. Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed. Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly. This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

Read More »

Get Our Emails

SOC Reporting Guide

Popular SSAE Resources

SOC 2 Cheat Sheet

SANS put together a great overview of SOC 2 terminology, report structure breakdown, and process in their signature cheat sheet format. This is a great document to keep handy if

Read More »

SOC Reporting Guide Newsletter

Facebook-f Twitter

Copyright 2023 © All rights Reserved.