Tag: ssae 16 sample report

Example SSAE 16 Controls – Firewall

Another series we will have periodic posts about will be related to potential controls that would be expected to be in place, almost regardless of the entity in question. This will be a real basic one to help get everyone up to speed, we will delve into other areas that may be a little more advanced in the future. Example: Firewalls are in place at all externally facing access points. The point of this control is to ensure that firewalls are being used at the organization to help prevent hacking attempts, thus, the theft of data. Companies outsourcing their workloads want to have comfort that the company performing the work has adequate security measures in place to lower the chance of their data being stolen. Firewalls are some of the most basic devices that need to be in place at a business to protect data and if your business does not currently employ firewalls on their network, it is a must do and should be looked into immediately.

Read More »

SSAE 16 Type I Report Background Information

There are significant differences between a Type I and Type II report, however, we aren’t going to discuss that here, thats for another day. We will discuss the basics of a SSAE 16 Type I Report and some areas that should be focused on if this is the direction your company wants to take. While the Type I Report doesn’t carry much weight, there are benefits, and that’s why it exists as an option. A Type I Report is specifically defined by the SSAE 16 guidance as a “report on a description of a service organization’s system and the suitability of the design of controls”, essentially, a determination of if your company’s controls designed appropriately. When performing a Type I report, the auditors will test the design effectiveness of your company’s defined controls by examining a sample of 1 item per control. This provides a user organization with some comfort that your company (the service organization) has at least some controls in place. This can be useful when trying to obtain a contract and to show good faith to the potential user organization that your company is moving in the right direction. Most user organizations will require a Type II Report before contracting your company as a service organization of theirs. The Type I Report is made up of 3 major areas, per the SSAE No. 16 Guidance: a description of the service organization’s system prepared by management of the service organization. – Management will need to prepare a description

Read More »

Get Our Emails

SOC Reporting Guide

Popular SSAE Resources

User Access Reviews

User access reviews are a critical control in almost any IT control framework because they help ensure that users have the appropriate level of access to sensitive data and systems.

Read More »