What does Management Need to Provide the Auditors?
If you have never been audited before, as is the case with many service organizations, you are probably wondering what kind of documentation will I need to give the auditors? What will they do with it once they have it? A high level explanation per the SSAE 16 Guidance: (1) access to all information, such as records and documentation, including service level agreements, of which management is aware that is relevant to the description of the service organization’s system and the assertion; (2) additional information that the service auditor may request from management for the purpose of the examination engagement; (3) unrestricted access to personnel within the service organization from whom the service auditor determines it is necessary to obtain evidence relevant to the service auditor’s engagement; and (4) written representations at the conclusion of the engagement Basically, you must give up anything needed by the service auditor that will permit them to attest to “Management’s description of the service organization’s system”, the main change associated with SSAE 16. Many of the controls at your organization will be reliant upon documents such as service level agreements and subservice organization’s SSAE 16 reports. Controls will also require you to pass off policies and procedures, organizational charts, job descriptions, firewall configurations, and other internal documentation. The most intrusive part of the SSAE 16 Review is that the auditors will need to talk to any and all of the employees that have a role in performing the controls being tested. Without that access,