Posts Tagged: SSAE 16 Terminology
Sunday, March 24th, 2013
When performing a SSAE 16 Review, you will be inundated with various terms that you may have never heard of before. We plan on continuing with a serious of posts dedicated to explaining the various terminology that you should be aware of to ensure when the auditors are explaining things to you, you don’t lost in the jargon.
Today we will discuss the Carve-out Method.
When management is in the process of writing their description of their system (‘management’s description of the service organization’s system’), there are various ways to address controls or functions relevant to the processes that are outsourced to another organization (‘subservice organization’). Using the carve-out method, you would exclude the subservice organization’s relevant control objectives and related controls from management’s description and scope of the service auditor’s engagement.
Now, this doesn’t mean you don’t need to address the controls that take place at a subservice organization, what it means is that you will need to have controls in place to monitor the effectiveness of the controls at the subservice organization. The most typical way to address this would be to obtain an SSAE 16 from the subservice organization, assuming the relevant controls were covered within their report.
Tags: carve out method sas 70, carve out methode, carve out methodology, carve out process, Carve-out Method, sas 70 carve out method, SSAE 16, ssae 16 carve out, ssae 16 carve-out method, ssae 16 review checklist, SSAE 16 Terminology, ssae 16 terms, ssae carve out method, ssae16 carve out, ssae16 carve out method, Subservice Organization, what is carve out method
Posted in SSAE 16, SSAE 16 Terminology | No Comments »
Thursday, February 28th, 2013
Criteria, as defined by the SSAE 16 guidance are:
The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter.
Criteria are the overreaching goals that the control objectives and activities that are in place are designed to meet and that the final report is to give assurance on, for example, “The system is protected against unauthorized access (both physical and logical).” To meet this criteria, a company may decide to include controls such as “Firewalls are installed at all external entry points” or “A User Access Review of Access Badges is performed on a Monthly Basis”. Criteria are used as a benchmark to assess the design and operating effectiveness of internal controls at an organization, however, Management is responsible for making sure that the controls in place support the defined criteria sufficiently.
There are best practice criteria available for most industries that reflect prevailing internal controls best practices and requirements from around the world, some of these can be found on the AICPA website if you would like some additional examples.
Tags: Criteria, determine best practices criterion, requirements for ssae 16, sase 16 requirements, soc 1, SSAE 16, ssae 16 criteria, ssae 16 criteria manual, ssae 16 definitions glossary, ssae 16 guidance, ssae 16 requirements, SSAE 16 Terminology, SSAE No. 16, ssae standards, ssae16 availability criteria, ssae16 criteria
Posted in SOC 1, SSAE 16 Terminology | 1 Comment »
Monday, February 4th, 2013
Controls at a Service Organization refer to the controls that are in place at your company.
Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control.
Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed.
Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly.
Tags: audit, controls, how to pronounce ssae 16, mandatory ssae16 controls, p&p controls, procedures, SSAE 16, ssae 16 control objectives, ssae 16 controls, ssae 16 service organization, ssae 16 service organization control, ssae 16 service organizations, ssae 16 services, SSAE 16 Terminology, SSAE No. 16, ssae16 controls and and control objectives
Posted in SSAE 16 Terminology | No Comments »
