December 24th, 2011
SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from SAS 70 to SSAE 16 will help you and your counterparts in the US compete on an international level; allowing companies around the world to give you their business with complete confidence.
SSAE16 is now effective as of June 15, 2011, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in an SOC 1 Report.
Who Needs an SSAE 16 (SOC 1) Audit?
If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:
- * Payroll Processing
- * Loan Servicing
- * Data Center/Co-Location/Network Monitoring Services
- * Software as a Service (SaaS)
- * Medical Claims Processors
What you Need to Know:
Before starting the SSAE 16 process, there are a number of considerations one must take into account that can save considerable time, effort, and money in the long run. Use the following items as a mini checklist for yourself:
- Does my Company need an SSAE16, or, are we doing it just because someone asked?
- Reports on the low end can run at least $15,000 a year, will the business lost be less of a burden than the cost of the report itself?
- Does your company have defined Business Process and IT controls in place, or, will you need assistance developing and implementing them (readiness assessment)?
- Have you determined the controls in place which affect the outsourced services being provided?
- Have key stakeholders been defined and included in discussions?
There are many other issues to consider before engaging a CPA firm to help with your SSAE 16, for a more detailed ‘checklist’ – please see The SSAE 16 Checklist
Tags: definition soc 1 ssae 16, how ssea 16 helps auditors, soc 1, soc 1 audit, ssae 16 audit, ssae 16 audit checklist, ssae 16 audit report, ssae 16 auditing standard, ssae 16 checklist, ssae soc auditing and reporting, SSAE16, ssae16 audit, ssae16 checkilst, what is ssae 16 audit, what is ssae16 audit, what is the purpose of a ssae 16 audit?
Posted in ISAE 3402, SOC 1, SSAE 16, SSAE 16 Type II | No Comments »
January 25th, 2012
Criteria, as defined by the SSAE 16 guidance are:
The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter.
Criteria are the overreaching goals that the control objectives and activities that are in place are designed to meet and that the final report is to give assurance on, for example, “The system is protected against unauthorized access (both physical and logical).” To meet this criteria, a company may decide to include controls such as “Firewalls are installed at all external entry points” or “A User Access Review of Access Badges is performed on a Monthly Basis”. Criteria are used as a benchmark to assess the design and operating effectiveness of internal controls at an organization, however, Management is responsible for making sure that the controls in place support the defined criteria sufficiently.
There are best practice criteria available for most industries that reflect prevailing internal controls best practices and requirements from around the world, some of these can be found on the AICPA website if you would like some additional examples.
Tags: Criteria, determine best practices criterion, requirements for ssae 16, soc 1, SSAE 16, ssae 16 criteria, ssae 16 criteria manual, ssae 16 guidance, ssae 16 requirements, SSAE 16 Terminology, SSAE No. 16, ssae standards, ssae16 availability criteria, ssae16 criteria
Posted in SOC 1, SSAE 16 Terminology | 1 Comment »
January 22nd, 2012
The SOC 3 Report , just like SOC 2, is based upon the Trust Service Principles and performed under AT101, the difference being that a SOC 3 Report can be freely distributed (general use) and only reports on if the entity has achieved the Trust Services criteria or not (no description of tests and results or opinion on description of the system). The lack of a detailed report requires that a SOC 3 be performed as a Type II, unlike SOC 1 and SOC 2 where there is a Type I option. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy) and allow the organization to place a seal on their website upon successful completion.
The Trust Service Principles were designed with a focus on e-commerce systems due to the amount of private/confidential/financial information that flows across the internet daily. When a customer processes a transaction (online retailer), builds a business on your service (SaaS providers), or submits private information, they want to know best practices are being followed by the company to guard against security leaks, lost sales, and damaged data. The most common reports based upon the trust principles are referred to as WebTrust and SysTrust.
The SysTrust review encompasses a combination of the following principles:
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
The WebTrust certification can fall into the following four categories:
-
WebTrust. The scope of the engagement includes any combination of the trust principles and criteria .
- WebTrust Online Privacy. The scope of the engagement is based upon the online privacy principle and criteria.
-
WebTrust Consumer Protection. The scope of the engagement is based upon the processing integrity and relevant online privacy principles and criteria.
-
WebTrust for Certification Authorities. The scope of the engagement is based upon specific principles and related criteria unique to certification authorities.
Tags: are soc and systrust the same, availability, confidentiality, processing integrity, security, soc 2 vs webtrust, SOC 3, SOC 3 Report, soc 3 reporting, SOC3, SOC3 report, ssae 16 soc 3 report, systrust, systrust report, webtrust, webtrust vs systrust
Posted in AT-101, SOC 3 | No Comments »
January 19th, 2012
The Service Organization Control (SOC) 2 Report will be performed in accordance with AT 101 and based upon the Trust Services Principles, with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls (just like SOC 1 / SSAE 16). The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls. 
The Trust Service Principles which SOC 2 is based upon are modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. Each of the principles have defined criteria (controls) which must be met to demonstrate adherence to the principles and produce an unqualified opinion (no significant exceptions found during your audit). The great thing about the trust principles is that the criteria businesses must meet are predefined, making it easier for business owners to know what compliance needs are required and for users of the report to read and assess the adequacy.
Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 was put in place to address demands in the marketplace for assurance over non-financial controls to prevent SOC 1 from being misused just like SAS 70 was.
Did you know? A business isn’t required to address all the principles, the reviews can be limited only to the principles that are relevant to the outsourced service being performed. Some example industries that might have a need for a SOC 2 include: SaaS Providers, Data Center/ Colocations, Document Production, and Data Analytics providers.
Tags: at101, soc 2, soc 2 controls, soc 2 principles, soc 2 report, soc 2 report user, soc 2 reports, soc 2 trust principles, soc2, ssae 16 five principles, ssae 16 soc 2, ssae 16 soc 3, ssae 16 soc2, SSAE16, trust service principles, what is a soc 2 report
Posted in AT-101, SOC 2 | No Comments »
January 16th, 2012
The first difference between the SSAE 16 and ISAE 3402 Standards is that SSAE 16 requires the service auditor to assess the risk associated with potential “Intentional Acts by Service Organization Personnel”.
Under SSAE 16, If the service auditor, while performing their review, notices deviations that could have been a result of an intentional act by an employee of the service organization, the auditor is required to dig into it. The reasoning for this is to determine whether or not the description of the service organization’s system is not fairly presented and that the controls are not suitably designed or operating effectively.
So, it seems that in this case, the SSAE 16 standard is a bit stricter. If the auditor is not required to dig into an intentional act committed by an employee of the service organization, how would the Auditing Firm and User Organizations feel comfortable with the report? In my opinion, they shouldn’t. Without any consequences for the service organization (failed report), there is an incentive for the service organization to try and operate outside the control structure as defined as it is unlikely that they would be held responsible for their actions. This might be a question you would want to dig into if you are going to use a company that has only been issued an ISAE 3402 report.
Be on the lookout for the next post related to the difference between SSAE 16 and ISAE 3402, Anomalies.
Tags: difference between isae 3402 and ssae 16, difference between ssae 16 and isae 3402, difference between ssae and isae, differences between isae 3402 and ssae 16, ISAE 3402, isae 3402 soc 2, isae 3402 vs ssae 16, ssae 10 versus isae, ssae 16 vs isae 3402, technical differences between ssae16 and isae3402
Posted in ISAE 3402 | No Comments »
January 13th, 2012
If you have never been audited before, as is the case with many service organizations, you are probably wondering what kind of documentation will I need to give the auditors? What will they do with it once they have it?
A high level explanation per the SSAE 16 Guidance:
(1) access to all information, such as records and documentation, including service
level agreements, of which management is aware that is relevant to the
description of the service organization’s system and the assertion;
(2) additional information that the service auditor may request from management for
the purpose of the examination engagement;
(3) unrestricted access to personnel within the service organization from whom the
service auditor determines it is necessary to obtain evidence relevant to the
service auditor’s engagement; and
(4) written representations at the conclusion of the engagement
Basically, you must give up anything needed by the service auditor that will permit them to attest to “Management’s description of the service organization’s system”, the main change associated with SSAE 16.
Many of the controls at your organization will be reliant upon documents such as service level agreements and subservice organization’s SSAE 16 reports. Controls will also require you to pass off policies and procedures, organizational charts, job descriptions, firewall configurations, and other internal documentation.
The most intrusive part of the SSAE 16 Review is that the auditors will need to talk to any and all of the employees that have a role in performing the controls being tested. Without that access, it would be impossible for the auditors to have a clear understanding of the processes when testing your controls. However, this shouldn’t be viewed as a negative, it will help your employees improve their processes in the future by gaining tips and insight from the auditors that will help them be better prepared for next year’s audit. Also, it will help clear up any potential findings or issues the auditors find, as in many cases there is no problem and an explanation is all that is needed, making the audit go MUCH smoother.
All of the documentation and information provided will never be seen by anyone other than the auditors performing the testing. The documentation is needed for the service auditors to assess the design and operating effectiveness of your controls. Once the testing and review phases are complete, your report will be issued and all that will be included is whether you either passed or failed that control, so don’t worry!
If you have any questions feel free to leave them in the comments section below and we will do our best to respond!
Tags: audit engagement, management must provide, documentation, firewall configuration, policies and procedures, service auditors, solutions, SSAE 16, ssae 16 documentation, ssae 16 documents, ssae 16 report, what does company need to provide for audit, what information do auditors need, what kind of engagements could you as auditor provide, what to provide to auditors, why organisations need auditors., will auditors be needed?
Posted in SSAE 16 | No Comments »
January 7th, 2012
SSAE 16 was built upon the ISAE 3402 framework, which essentially is the same thing, but accepted at an international level with a number of deviations to be discussed here over time. The AICPA and other standard settings organizations are now encouraged to design their frameworks for reporting on controls at a service organization around the ISAE 3402 framework, this will allow for increased fluidity and lower expenses to complete globally. ISAE 3402 was intentionally designed to allow for minor modifications to adjust for local protocols and existing frameworks.
SSAE 16 contains 9 deviations from the ISAE 3402 framework, at a high level include:
1. Intentional Acts by Service Organization Personnel
2. Anomalies
3. Direct Assistance
4. Subsequent Events
5. Statement Restricting Use of the Service Auditor’s Report
6. Documentation Completion
7. Engagement Acceptance and Continuance
8. Disclaimer of Opinion
9. Elements of the SSAE Report That are Not Required in the ISAE 3402 Report
These topics will be delved into in greater depth at a later time, however, are not of concern if you do not plan on performing outsourcing services for an organization located outside of the United States.
Tags: (isae3402 or ssae16) & part2, isae 16, ISAE 3402, isae 3402 ssae 16, isae 3402 vs ssae 16, isae vs ssae, isae3402 ssae16, isae3402 vs ssae16, ssae 16 framework, ssae 16 isae 3402, ssae 16 vs isae 3402, ssae vs isae, ssae16 and isae 3402, ssae16 isae 3402, ssae16 vs isae 3402, ssae16 vs isae3402
Posted in ISAE 3402 | 1 Comment »
January 4th, 2012
Controls at a Service Organization refer to the controls that are in place at your company.
Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control.
Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed.
Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly.
Tags: audit, controls, mandatory ssae16 controls, p&p controls, procedures, SSAE 16, ssae 16 controls, ssae 16 service organization control, SSAE 16 Terminology, SSAE No. 16
Posted in SSAE 16 Terminology | No Comments »
December 29th, 2011
An SOC 1 Report (Service Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance.
Please see the following articles discussing the SSAE 16 guidance and additional information related to the SOC 1 (Type I and Type II) Reports:
In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance and will be discussed in further detail in the future.
Tags: soc 1, soc 1 report, soc 1 reports, soc 1 type 2, soc 1 type 2 report, soc 2, SOC 3, SOC Report, soc reporting, soc type, soc type 1 report, soc1, soc1 report, SSAE 16, ssae 16 reports, ssae 16 soc 1, ssae16 compliant soc 1, what is a soc1 report
Posted in SSAE 16, SSAE 16 Type II | No Comments »
December 21st, 2011
I’ve been hearing from various people in the marketplace that they were interested in learning about some steps, at a high level, that they need to take to get off the ground and on their way to completing their SSAE 16 Report Type I or Type II. So, I will give you guys a breakdown of some of the things you should be doing now, and some things to think about down the line as you progress.
This SSAE 16 Checklist is geared towards service organizations whom have never done a SAS 70 in the past and will be taking up the task this coming year when SSAE 16 will be in full effect. A more detailed version geared towards companies that have some experience being audited will be coming down the line.
- Do your research.
- You have already come across our site, so you have begun the process of researching SSAE 16 and the responsibilities that come with performing one. I would continue to search for SAS 70 related information as well, as most of that knowledge is applicable.
- Find a few CPA firms who perform SSAE 16′s (or SAS 70).
- You will want to research a number of firms that could perform and sign off on your SSAE 16 Report, which, only CPA firms are permitted to do. This process should be handled with the utmost care as you are putting a lot of trust into the company you choose, they can make or break you.
- Some things to consider:
1. The size of your company – You may not be able to afford a large CPA firm.
2. The clientele you are attracting – Some companies will not feel secure with the quality of your SSAE 16 if it was performed by a firm that isn’t well known.
3. Total SSAE 16′s or SAS 70′s performed – You do not want to use a company who has never done such work in the past, unless they are comprised of former employees of another quality firm and have decided to take off on their own.
4. The methodology employed – You will want to quiz the companies and gain comfort around their methods and ensure you are comfortable with their responses and agree based upon your research.
- Narrow your search.
- Based upon how you felt about each company, the people, the methodology, their previous experience, and of course, cost, you should narrow down your search to the top 2 companies.
- Pricing for SSAE 16′s and SAS 70′s can vary greatly depending upon the company performing the work and the size of your organization, however, I wouldn’t expect to pay any less than $25,000-$30,000.
- You should look for a fixed rate fee so there is no potential for them to raise rates on you as the project progresses.
- Define the scope.
- Once you have engaged a firm to perform the work, make sure you define the scope of the audit early on in the process. Not doing so could lead to excessive delays and potential cost overruns.
- Define your control objectives and activities.
- In conjunction with your CPA firm, define the controls and test steps to be tested and make sure that they have been reviewed by process owners and any of the stakeholders at the CPA firm who may be reviewing and/or signing off on the report to ensure everyone is in agreeance. If this isn’t completed prior to testing, you are asking for a world of trouble.
- Perform a Readiness Assessment.
- You can either choose to perform a readiness assessment on your own, based upon the test steps already defined, or, if you do not have the capacity or ability to do so internally, you can look towards either the firm performing your review or another firm who is skilled in preparing companies for audits.
These steps laid out here will set you on your way to getting your SSAE 16 started up and going and should help to guide you through the toughest parts of the process. Once you have completed all of the steps we have laid out, you should be able to rely on the knowledge of your CPA firm to take you through the finish line.
If you have any further questions please Contact Us!
Tags: checklist, control activities, control objectives, readiness assessment, SAS 70, SAS70, scope, SSAE 16, ssae 16 audit checklist, ssae 16 checklist, SSAE 16 Preparation, ssae 16 process mapping guide, ssae 16 report, SSAE 16 Review, ssae 16 review checklist, ssae 16 testing definition
Posted in SSAE 16, SSAE 16 Preparation | No Comments »
December 12th, 2011
Some organizations have heard of SAS 70 or SSAE 16, but, don’t really know WHY they need to pay to have a bunch of auditors trounce through their company for a month or two during the year, especially right after their financial audit just finished.
The answer is simple: Many companies will not even think about using your company to perform services for them without a clean Type II Report in place.
Some benefits of having an SSAE 16 performed:
- Ability to perform outsourcing services for Public Companies.
- If performing financially significant duties for a Public Company, they are required to use a SSAE 16 qualified provider as it is the only way to give investors assurance over controls that are not performed by the Company in question.
- Public and Private companies are more likely to trust your organization with their data.
- If you were to trust a company with your data, you would want complete assurance it will be handled with the utmost care
- A year round accessible knowledge source (your auditors).
- As a service organization, large or small, you will always have questions regarding your business and having a set of auditors in place with access to a wide array of business knowledge, it will allow you to bounce your questions and concerns off of a group of trusted individuals.
- A third party to review your controls and activities to ensure they are functioning appropriately, and give advice on how to improve upon them.
- Sometimes your internal audit department is good, but, not always as stringent as they should be. This will help to serve as a check on their work, as well as your staff. Additionally, if there were any findings noted, your auditors are in a great position to give you some tricks and tips to improve to ensure everything functions well the following period.
- Improving performance of the organization.
- Just the knowledge that a review is being performed of an employee’s work that can have far reaching consequences for the company as a whole. No more, “Oh, I didn’t realize that reviewing user access was THAT important to do this month, sorry”, now, everyone knows that if it’s not done, the success or failure of the organization could rest upon them.
Think of the SSAE 16 as an annual investment into your company, increasing potential new clients, productivity and accountability.
Tags: is ssae 16 needed, reports, reviewing ssae 16, SSAE 16, ssae 16 audit review, SSAE 16 Review, ssae 16 review checklist, ssae 16 reviews, ssae review, ssae reviews, SSAE16, ssae16 review, standards, third party ssae guidance review, who is required to have a ssae 16, who is required to have ssae 16
Posted in SSAE 16, SSAE 16 Type II | No Comments »
December 9th, 2011
When performing a SSAE 16 Review, you will be inundated with various terms that you may have never heard of before. We plan on continuing with a serious of posts dedicated to explaining the various terminology that you should be aware of to ensure when the auditors are explaining things to you, you don’t lost in the jargon.
Today we will discuss the Carve-out Method.
When management is in the process of writing their description of their system (‘management’s description of the service organization’s system’), there are various ways to address controls or functions relevant to the processes that are outsourced to another organization (‘subservice organization’). Using the carve-out method, you would exclude the subservice organization’s relevant control objectives and related controls from management’s description and scope of the service auditor’s engagement.
Now, this doesn’t mean you don’t need to address the controls that take place at a subservice organization, what it means is that you will need to have controls in place to monitor the effectiveness of the controls at the subservice organization. The most typical way to address this would be to obtain an SSAE 16 from the subservice organization, assuming the relevant controls were covered within their report.
Tags: carve out method sas 70, carve out methode, carve out methodology, carve out process, Carve-out Method, sas 70 carve out method, SSAE 16, ssae 16 carve out, ssae 16 carve-out method, SSAE 16 Terminology, ssae 16 terms, ssae16 carve out, Subservice Organization, what is carve out method
Posted in SSAE 16, SSAE 16 Terminology | No Comments »
December 6th, 2011
There are significant differences between a Type I and Type II report, however, we aren’t going to discuss that here, thats for another day. We will discuss the basics of a SSAE 16 Type I Report and some areas that should be focused on if this is the direction your company wants to take.
While the Type I Report doesn’t carry much weight, there are benefits, and that’s why it exists as an option. A Type I Report is specifically defined by the SSAE 16 guidance as a “report on a description of a service organization’s system and the suitability of the design of controls”, essentially, a determination of if your company’s controls designed appropriately. When performing a Type I report, the auditors will test the design effectiveness of your company’s defined controls by examining a sample of 1 item per control. This provides a user organization with some comfort that your company (the service organization) has at least some controls in place. This can be useful when trying to obtain a contract and to show good faith to the potential user organization that your company is moving in the right direction. Most user organizations will require a Type II Report before contracting your company as a service organization of theirs.
The Type I Report is made up of 3 major areas, per the SSAE No. 16 Guidance:
a description of the service organization’s system prepared by management of the service organization.
- Management will need to prepare a description of the control objectives that are in place and being tested at their organization, as it relates to the process that is being reviewed for use by a User Organization. This will read sort of like a narrative of the process and how your control objectives tie in to each other and the process as a whole, giving a User Organization an overview of what and how, at a high level, their data will be handled.
a written assertion by the Service Organization’s management about whether, in all material respects, and based on suitable criteria:
1. the description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date.
2. the controls related to the control objectives stated in the description were suitably designed to achieve those control objectives as of the specified date.
- Management will need to prepare a written assertion attesting to the fair presentation and design of controls. Previously under SAS 70, it was the auditors who reported directly on the controls and management was not required to attest to anything. (There will be a separate post describing this in detail as this is a major difference)
The final component:
a service auditor’s report that expresses an opinion on the matters in b1-2.
- The auditors that are hired to perform the testing will need to review the Management’s assessment of the design of controls and attest to the validity of Management’s opinion. The auditors will walk through the control objectives and control activities in place at your company and verify they are, in fact, designed as Management noted. This is where the auditors will obtain a sample of 1 to support each control activity and express the results of their testing.
Specifics of reporting details for a SSAE Type I will be discussed later on!
Tags: in an ssae 16 report where are the findings listed?, sample ssae 16, sample ssae 16 report, SSAE 16, ssae 16 report, ssae 16 report example, ssae 16 reports, ssae 16 sample report, ssae 16 sample reports, ssae 16 type, ssae 16 type 1, ssae 16 type 1 report, ssae 16 type i, ssae16 sample report, type 1 report, Type I Report
Posted in SSAE, SSAE 16 Type I, Type I Report | 1 Comment »
December 3rd, 2011
So you have been performing a SAS 70 for the last couple years, or, are getting ready prepared to embark on your first SAS 70, and all of a sudden you hear that a brand new standard has been issued!
Don’t worry about it!
SSAE 16 is an improvement to the current standard for Reporting on Controls at a Service Organization, the SAS70, with some changes that will help bring your company and the rest of the companies in the US up to date with new international service organization reporting standards, ISAE 3402. This will help allow you and your counterparts in the US be able to compete on an international level, allowing for companies around the world to be able to use YOU as their service organization with complete comfort.
One very important issue that you should be very aware of is that SSAE 16 will formally be issued in June 2010 with an effective date of June 15, 2011, meaning that if you are not on top of this new standard soon, you need to be. Many organizations have a 12 month testing period that begins in July, and if this sounds like your company, you will be required to be compliant with the New Standards as of July 1, 2010.
Major differences between SAS 70 and the New Standard, SSAE 16 and ISAE 3042:
1) Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:
- The fairness of the presentation of the description of the service organization’s system;
- The suitability of the design of the controls to achieve the related control objectives stated in the description; and
- The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)
2) During the process of understanding the service organization’s system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.
Changes that Directly Impact Type II Engagements
1) The Service Auditor’s opinion on the fairness of the presentation of description of the service organization’s system and on the suitability of the design of the controls would be for a full period, as opposed to a specified date. (i.e. Your report would be for the 6 months covering July 2010 through December 2010.)
- The Type II report would identify the customers to whom use of the report is restricted as “customers of the service organization’s system during some or all of the period covered by the service auditor’s report”
2) Evidence obtained in prior engagements related to the satisfactory operation of controls in prior periods will not be sufficient to reduce the amount of testing performed.
Expected Change Which Didn’t Occur:
While it was expected that SSAE 16 would build upon the previous SAS 70 standard of reporting only on financial reporting activities and allow a service organization to branch out in to other areas of their business, such as regulatory compliance and performance metrics, this was not included within the initial final version of the New Standard and there has been no guidance as to when it would be expected, if ever, to be.
Tags: description of new ssae16, effective date of ssae 16, effective date ssae 16, new ssae 16, SAS70, soc 1, SSAE 16, ssae 16 effective date, ssae 16 implementation date, ssae 16 standard, ssae 16 type 2, ssae 16 type ii, ssae 16 type ii report, SSAE No. 16, ssae-16 type ii, SSAE16
Posted in SOC 1, SSAE, SSAE 16 | 1 Comment »
November 30th, 2011
This tip is focused on designing controls that reflect the process being testing, if they don’t, a headache of massive proportions will be created once testing begins.
What do you do to make sure you don’t screw this up? Have as many meetings as it takes to get it right.
What you need to do is sit down with the auditors, the department lead, the main employees responsible for performing the process, and anyone else whom could either play a role in testing or modifying the control in the future. Once that is done, Management should discuss what they determined the control to be and how it should operate, that is then reviewed by the auditors, and then the employees performing the tasks should be reconsulted to verify that the control still reflects their process accurately.
Many times people try to speed this process up and half-ass it, leaving many open items which upon testing could easily blow up into a huge problem. When the control isn’t 100% agreed upon prior to testing and a deviation is noted, it’s a tough call between failing the control and the ability to adjust it to accurately reflect the process. The problem is modifying a control after testing has begun is not proper and needs to be avoided at all costs.
Locking the controls locked down early on could save weeks in wrapping up your new SSAE 16 Report.
We have seen issues like this cause delays in issuing of the report to the client and running additional fees, since adjusting controls isn’t free. Coming from the perspective of the auditor, we can let you know the pitfalls, consequences and how to best navigate the audit process. If you have any comments or questions please leave them below!
Tags: controls, report writing, SSAE 16 Preparation, ssae 16 report, SSAE No. 16
Posted in SOC 1, SSAE 16, SSAE 16 Preparation, SSAE 16 Type II | No Comments »
November 27th, 2011
Another series we will have periodic posts about will be related to potential controls that would be expected to be in place, almost regardless of the entity in question.
This will be a real basic one to help get everyone up to speed, we will delve into other areas that may be a little more advanced in the future.
Example: Firewalls are in place at all externally facing access points.
The point of this control is to ensure that firewalls are being used at the organization to help prevent hacking attempts, thus, the theft of data. Companies outsourcing their workloads want to have comfort that the company performing the work has adequate security measures in place to lower the chance of their data being stolen.
Firewalls are some of the most basic devices that need to be in place at a business to protect data and if your business does not currently employ firewalls on their network, it is a must do and should be looked into immediately.
Tags: controls, example of ssae 16 report, example ssae 16 report, firewall, sample soc 2 report, sample ssae 16 report, sixteen control, soc 3 example, sop template ssae-16, SSAE 16, ssae 16 controls, ssae 16 example, ssae 16 examples, ssae 16 report example, ssae 16 sample controls, ssae 16 sample report
Posted in controls | No Comments »
