Controls at a Service Organization refer to the controls that are in place at your company.
Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control.
Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed.
Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly.
Tags: audit, controls, how to pronounce ssae 16, mandatory ssae16 controls, p&p controls, procedures, SSAE 16, ssae 16 control objectives, ssae 16 controls, ssae 16 service organization, ssae 16 service organization control, ssae 16 service organizations, ssae 16 services, SSAE 16 Terminology, SSAE No. 16, ssae16 controls and and control objectives