Tag: ssae-18

Why have an SSAE 16 Review Performed?

Some organizations have heard of SAS 70, SSAE 16, and soon to be SSAE 18, but, don’t really know WHY they need to pay to have a bunch of auditors trounce through their company for a month or two during the year, especially right after their financial audit just finished. The answer is simple: Many companies will not even think about using your company to perform services for them without a clean Type II Report in place. Some benefits of having an SSAE 16 performed: Ability to perform outsourcing services for Public Companies. If performing financially significant duties for a Public Company, they are required to use a SSAE 16 qualified provider as it is the only way to give investors assurance over controls that are not performed by the Company in question. Public and Private companies are more likely to trust your organization with their data. If you were to trust a company with your data, you would want complete assurance it will be handled with the utmost care A year round accessible knowledge source (your auditors). As a service organization, large or small, you will always have questions regarding your business and having a set of auditors in place with access to a wide array of business knowledge, it will allow you to bounce your questions and concerns off of a group of trusted individuals. A third party to review your controls and activities to ensure they are functioning appropriately, and give advice on how to improve upon

Read More »

SSAE 16, The New Standard

So you have been performing a SAS 70 for the last couple years, or, are getting ready prepared to embark on your first SAS 70, and all of a sudden you hear that a brand new standard has been issued! Don’t worry about it! SSAE 16 is an improvement to the current standard for Reporting on Controls at a Service Organization, the SAS70, with some changes that will help bring your company and the rest of the companies in the US up to date with new international service organization reporting standards, ISAE 3402. This will help allow you and your counterparts in the US be able to compete on an international level, allowing for companies around the world to be able to use YOU as their service organization with complete comfort. One very important issue that you should be very aware of is that SSAE 16 will formally be issued in June 2010 with an effective date of June 15, 2011, meaning that if you are not on top of this new standard soon, you need to be. Many organizations have a 12 month testing period that begins in July, and if this sounds like your company, you will be required to be compliant with the New Standards as of July 1, 2010. Major differences between SAS 70 and the New Standard, SSAE 16 and ISAE 3042: 1) Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing

Read More »

SOC 1 Report

A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance (and soon to be SSAE 18). Please see the following articles discussing the SSAE 16 guidance and additional information related to the SOC 1 (Type I and Type II) Reports: SSAE 16 Type I Report Background Information SSAE 16, The New Standard SSAE 16 Preparation Tips In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance and will be discussed in further detail in the future. Please see the SOC 1 Reporting Guide page for additional information.

Read More »

SSAE 16 Type I Report Background Information

There are significant differences between a Type I and Type II report, however, we aren’t going to discuss that here, thats for another day. We will discuss the basics of a SSAE 16 Type I Report and some areas that should be focused on if this is the direction your company wants to take. While the Type I Report doesn’t carry much weight, there are benefits, and that’s why it exists as an option. A Type I Report is specifically defined by the SSAE 16 guidance as a “report on a description of a service organization’s system and the suitability of the design of controls”, essentially, a determination of if your company’s controls designed appropriately. When performing a Type I report, the auditors will test the design effectiveness of your company’s defined controls by examining a sample of 1 item per control. This provides a user organization with some comfort that your company (the service organization) has at least some controls in place. This can be useful when trying to obtain a contract and to show good faith to the potential user organization that your company is moving in the right direction. Most user organizations will require a Type II Report before contracting your company as a service organization of theirs. The Type I Report is made up of 3 major areas, per the SSAE No. 16 Guidance: a description of the service organization’s system prepared by management of the service organization. – Management will need to prepare a description

Read More »

What does Management Need to Provide the Auditors?

If you have never been audited before, as is the case with many service organizations, you are probably wondering what kind of documentation will I need to give the auditors? What will they do with it once they have it? A high level explanation per the SSAE 16 Guidance: (1) access to all information, such as records and documentation, including service level agreements, of which management is aware that is relevant to the description of the service organization’s system and the assertion; (2) additional information that the service auditor may request from management for the purpose of the examination engagement; (3) unrestricted access to personnel within the service organization from whom the service auditor determines it is necessary to obtain evidence relevant to the service auditor’s engagement; and (4) written representations at the conclusion of the engagement Basically, you must give up anything needed by the service auditor that will permit them to attest to “Management’s description of the service organization’s system”, the main change associated with SSAE 16. Many of the controls at your organization will be reliant upon documents such as service level agreements and subservice organization’s SSAE 16 reports. Controls will also require you to pass off policies and procedures, organizational charts, job descriptions, firewall configurations, and other internal documentation. The most intrusive part of the SSAE 16 Review is that the auditors will need to talk to any and all of the employees that have a role in performing the controls being tested. Without that access,

Read More »

SSAE 16 Terminology – Criteria

Criteria, as defined by the SSAE 18 (formerly SSAE 16) guidance are: The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter. Criteria are the overarching goals that the control objectives and activities that are in place are designed to meet and that the final report is to give assurance on, for example, “The system is protected against unauthorized access (both physical and logical).” To meet this criteria, a company may decide to include controls such as “Firewalls are installed at all external entry points” or “A User Access Review of Access Badges is performed on a Monthly Basis”. Criteria are used as a benchmark to assess the design and operating effectiveness of internal controls at an organization, however, Management is responsible for making sure that the controls in place support the defined criteria sufficiently. There are best practice criteria available for most industries that reflect prevailing internal controls best practices and requirements from around the world, some of these can be found on the AICPA website if you would like some additional examples. This definition and information is consistent in SSAE-18.

Read More »

SSAE 16 Terminology – Controls at a Service Organization

Controls at a Service Organization refer to the controls that are in place at your company. Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control. Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed. Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly. This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

Read More »

SSAE 16 Terminology – Carve-out Method

When performing a SSAE 16 Review, you will be inundated with various terms that you may have never heard of before. We plan on continuing with a serious of posts dedicated to explaining the various terminology that you should be aware of to ensure when the auditors are explaining things to you, you don’t lost in the jargon. Today we will discuss the Carve-out Method. When management is in the process of writing their description of their system (‘management’s description of the service organization’s system’), there are various ways to address controls or functions relevant to the processes that are outsourced to another organization (‘subservice organization’). Using the carve-out method, you would exclude the subservice organization’s relevant control objectives and related controls from management’s description and scope of the service auditor’s engagement. Now, this doesn’t mean you don’t need to address the controls that take place at a subservice organization, what it means is that you will need to have controls in place to monitor the effectiveness of the controls at the subservice organization. The most typical way to address this would be to obtain an SSAE 16 from the subservice organization, assuming the relevant controls were covered within their report. This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

Read More »

The SSAE16 Auditing Standard

SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from SAS 70 to SSAE 16 will help you and your counterparts in the US compete on an international level; allowing companies around the world to give you their business with complete confidence. SSAE16 is now effective as of June 15, 2011, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in an SOC 1 Report. The soon to be effective, SSAE-18, is expected to follow a similar reporting structure to the SSAE-16 within a SOC 1 report. Who Needs an SSAE 16 (SOC 1) Audit? If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.Some example industries include: Payroll Processing Loan Servicing Data Center/Co-Location/Network Monitoring Services Software as a Service (SaaS) Medical Claims Processors What you Need to Know: Before starting the SSAE 16 process, there are a number of considerations one must

Read More »

SOC 1 & SOC 2 Preparation Checklist

I’ve been hearing from various people in the marketplace that they were interested in learning about some steps, at a high level, that they need to take to get off the ground and on their way to completing their SOC 1/2 Report Type I or Type II. So, I will give you all a breakdown of some of the things organizations should be doing now, and some things to think about down the line as you progress. This SOC Reporting Checklist is geared towards service organizations whom have never undergone a SAS 70, SSAE 16, etc. in the past and will be taking up the task this coming year. A more detailed version geared towards companies that have some experience being audited will be coming down the line. Do your research. You have already come across our site, so you have begun the process of researching SSAE 16 and the responsibilities that come with performing one. I would continue to search for SAS 70 related information as well, as most of that knowledge is applicable. Find a few CPA firms who perform over 75 SOC Reports annually. You will want to research a number of firms that could perform and sign off on your SOC Report, which, only CPA firms are permitted to do. This process should be handled with the utmost care as you are putting a lot of trust into the company you choose, they can make or break you. Some things to consider: 1. The size of your

Read More »

Get Our Emails

SOC Reporting Guide

Popular SSAE Resources