Tag: ssae 16 report

SSAE 18 (SSAE 16) Preparation Tips

This tip is focused on designing controls that reflect the process being testing, if they don’t, a headache of massive proportions will be created once testing begins. What do you do to make sure you don’t screw this up? Have as many meetings as it takes to get it right. What you need to do is sit down with the auditors, the department lead, the main employees responsible for performing the process, and anyone else whom could either play a role in testing or modifying the control in the future. Once that is done, Management should discuss what they determined the control to be and how it should operate, that is then reviewed by the auditors, and then the employees performing the tasks should be reconsulted to verify that the control still reflects their process accurately. Many times people try to speed this process up and slack on it, leaving many open items which upon testing could easily blow up into a huge problem. When the control isn’t 100% agreed upon prior to testing and a deviation is noted, it’s a tough call between failing the control and the ability to adjust it to accurately reflect the process. The problem is modifying a control after testing has begun is not proper and needs to be avoided at all costs. Locking the controls locked down early on could save weeks in wrapping up your new SSAE 16 Report. We have seen issues like this cause delays in issuing of the report

Read More »

SOC 1 Report

A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance (and soon to be SSAE 18). Please see the following articles discussing the SSAE 16 guidance and additional information related to the SOC 1 (Type I and Type II) Reports: SSAE 16 Type I Report Background Information SSAE 16, The New Standard SSAE 16 Preparation Tips In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance and will be discussed in further detail in the future. Please see the SOC 1 Reporting Guide page for additional information.

Read More »

SSAE 16 Type I Report Background Information

There are significant differences between a Type I and Type II report, however, we aren’t going to discuss that here, thats for another day. We will discuss the basics of a SSAE 16 Type I Report and some areas that should be focused on if this is the direction your company wants to take. While the Type I Report doesn’t carry much weight, there are benefits, and that’s why it exists as an option. A Type I Report is specifically defined by the SSAE 16 guidance as a “report on a description of a service organization’s system and the suitability of the design of controls”, essentially, a determination of if your company’s controls designed appropriately. When performing a Type I report, the auditors will test the design effectiveness of your company’s defined controls by examining a sample of 1 item per control. This provides a user organization with some comfort that your company (the service organization) has at least some controls in place. This can be useful when trying to obtain a contract and to show good faith to the potential user organization that your company is moving in the right direction. Most user organizations will require a Type II Report before contracting your company as a service organization of theirs. The Type I Report is made up of 3 major areas, per the SSAE No. 16 Guidance: a description of the service organization’s system prepared by management of the service organization. – Management will need to prepare a description

Read More »

What does Management Need to Provide the Auditors?

If you have never been audited before, as is the case with many service organizations, you are probably wondering what kind of documentation will I need to give the auditors? What will they do with it once they have it? A high level explanation per the SSAE 16 Guidance: (1) access to all information, such as records and documentation, including service level agreements, of which management is aware that is relevant to the description of the service organization’s system and the assertion; (2) additional information that the service auditor may request from management for the purpose of the examination engagement; (3) unrestricted access to personnel within the service organization from whom the service auditor determines it is necessary to obtain evidence relevant to the service auditor’s engagement; and (4) written representations at the conclusion of the engagement Basically, you must give up anything needed by the service auditor that will permit them to attest to “Management’s description of the service organization’s system”, the main change associated with SSAE 16. Many of the controls at your organization will be reliant upon documents such as service level agreements and subservice organization’s SSAE 16 reports. Controls will also require you to pass off policies and procedures, organizational charts, job descriptions, firewall configurations, and other internal documentation. The most intrusive part of the SSAE 16 Review is that the auditors will need to talk to any and all of the employees that have a role in performing the controls being tested. Without that access,

Read More »

SOC 1 & SOC 2 Preparation Checklist

I’ve been hearing from various people in the marketplace that they were interested in learning about some steps, at a high level, that they need to take to get off the ground and on their way to completing their SOC 1/2 Report Type I or Type II. So, I will give you all a breakdown of some of the things organizations should be doing now, and some things to think about down the line as you progress. This SOC Reporting Checklist is geared towards service organizations whom have never undergone a SAS 70, SSAE 16, etc. in the past and will be taking up the task this coming year. A more detailed version geared towards companies that have some experience being audited will be coming down the line. Do your research. You have already come across our site, so you have begun the process of researching SSAE 16 and the responsibilities that come with performing one. I would continue to search for SAS 70 related information as well, as most of that knowledge is applicable. Find a few CPA firms who perform over 75 SOC Reports annually. You will want to research a number of firms that could perform and sign off on your SOC Report, which, only CPA firms are permitted to do. This process should be handled with the utmost care as you are putting a lot of trust into the company you choose, they can make or break you. Some things to consider: 1. The size of your

Read More »

Get Our Emails

SOC Reporting Guide

Popular SSAE Resources

User Access Reviews

User access reviews are a critical control in almost any IT control framework because they help ensure that users have the appropriate level of access to sensitive data and systems.

Read More »